https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-i-detect-vpn-extension-in-browser-chrome-firefox-brave/m-p/571561#M5833 <P>Hi&nbsp;<SPAN class="UserName lia-user-name lia-user-rank-Cyber-Elite lia-component-message-view-widget-author-username"><SPAN>&nbsp;</SPAN><A id="link_17" class="lia-link-navigation lia-page-link lia-user-name-link" href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/70130" target="_self" aria-label="View Profile of aleksandar.astardzhiev"><SPAN class="login-bold">Aleksandar.Astardzhiev</SPAN></A></SPAN></P> <P>Thanks for the reply. currently I find something and trying to follow this process, it usually detects some <STRONG>.crx</STRONG> name extension which is exist on some endpoint. Maybe it will help to u also. Please share you opinion.&nbsp;<BR />link :&nbsp;<BR /><A href="https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-poc-monitoring-malicious-chrome-extensions/td-p/519888" target="_blank">LIVEcommunity - Cortex XDR PoC: Monitoring Malicious Chrome Extensions - LIVEcommunity - 519888 (paloaltonetworks.com)</A></P> Wed, 03 Jan 2024 10:23:44 GMT Prashanta 2024-01-03T10:23:44Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-i-detect-vpn-extension-in-browser-chrome-firefox-brave/m-p/571514#M5831 <P>How I detect <STRONG>VPN extensions</STRONG> in browser ( like, EDGE, Chrome, Firefox, Brave)? with XQL query.</P> Wed, 03 Jan 2024 04:55:53 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-i-detect-vpn-extension-in-browser-chrome-firefox-brave/m-p/571514#M5831 Prashanta 2024-01-03T04:55:53Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-i-detect-vpn-extension-in-browser-chrome-firefox-brave/m-p/571558#M5832 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/593283889">@Prashanta</a> ,</P> <P>&nbsp;</P> <P>In my humble opinion there is no way to detect browser extensions using the XQL.</P> <P>Generally speaking XQL gives you a way to search/query the event logs. XDR is doing really great job by collecting information which process is generating the network traffic. But this means that those logs will only show that "FireFox is trying to access surfshark.com" (for example), it will not tell if the user is trying to open the page or there is browser extension that is trying to make the connection.</P> <P>&nbsp;</P> <P>Long time ago I tried to achieve something similar - List/Detect browser extensions on endpoint from CortexXDR</P> <P>What I did is I tried to create custom python script that I imported in XDR. <BR />The script was basically searching for the directory where the three most common browsers keep their extensions and read the manifest file and print out the name and the extension ID. My idea was as next step to check the ID agains a list of known malicius IDs like <A href="https://github.com/mallorybowes/chrome-mal-ids" target="_blank">https://github.com/mallorybowes/chrome-mal-ids</A>, but I never complete this.</P> <P>&nbsp;</P> <P>I am not sure if my approach was the best, but in my understanding it is the only one since the Operating System does not make difference if FireFox is trying to connect to VPN because there is extension installed or just user accessing a web page.</P> <P>&nbsp;</P> Wed, 03 Jan 2024 09:59:17 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-i-detect-vpn-extension-in-browser-chrome-firefox-brave/m-p/571558#M5832 aleksandar.astardzhiev 2024-01-03T09:59:17Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-i-detect-vpn-extension-in-browser-chrome-firefox-brave/m-p/571561#M5833 <P>Hi&nbsp;<SPAN class="UserName lia-user-name lia-user-rank-Cyber-Elite lia-component-message-view-widget-author-username"><SPAN>&nbsp;</SPAN><A id="link_17" class="lia-link-navigation lia-page-link lia-user-name-link" href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/70130" target="_self" aria-label="View Profile of aleksandar.astardzhiev"><SPAN class="login-bold">Aleksandar.Astardzhiev</SPAN></A></SPAN></P> <P>Thanks for the reply. currently I find something and trying to follow this process, it usually detects some <STRONG>.crx</STRONG> name extension which is exist on some endpoint. Maybe it will help to u also. Please share you opinion.&nbsp;<BR />link :&nbsp;<BR /><A href="https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-poc-monitoring-malicious-chrome-extensions/td-p/519888" target="_blank">LIVEcommunity - Cortex XDR PoC: Monitoring Malicious Chrome Extensions - LIVEcommunity - 519888 (paloaltonetworks.com)</A></P> Wed, 03 Jan 2024 10:23:44 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-i-detect-vpn-extension-in-browser-chrome-firefox-brave/m-p/571561#M5833 Prashanta 2024-01-03T10:23:44Z