Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

How I detect vpn extension in browser ( Chrome, Firefox, Brave )?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How I detect vpn extension in browser ( Chrome, Firefox, Brave )?

L2 Linker

How I detect VPN extensions in browser ( like, EDGE, Chrome, Firefox, Brave)? with XQL query.

2 REPLIES 2

Hi @Prashanta ,

 

In my humble opinion there is no way to detect browser extensions using the XQL.

Generally speaking XQL gives you a way to search/query the event logs. XDR is doing really great job by collecting information which process is generating the network traffic. But this means that those logs will only show that "FireFox is trying to access surfshark.com" (for example), it will not tell if the user is trying to open the page or there is browser extension that is trying to make the connection.

 

Long time ago I tried to achieve something similar - List/Detect browser extensions on endpoint from CortexXDR

What I did is I tried to create custom python script that I imported in XDR.
The script was basically searching for the directory where the three most common browsers keep their extensions and read the manifest file and print out the name and the extension ID. My idea was as next step to check the ID agains a list of known malicius IDs like https://github.com/mallorybowes/chrome-mal-ids, but I never complete this.

 

I am not sure if my approach was the best, but in my understanding it is the only one since the Operating System does not make difference if FireFox is trying to connect to VPN because there is extension installed or just user accessing a web page.

 

L2 Linker

Hi  

Thanks for the reply. currently I find something and trying to follow this process, it usually detects some .crx name extension which is exist on some endpoint. Maybe it will help to u also. Please share you opinion. 
link : 
LIVEcommunity - Cortex XDR PoC: Monitoring Malicious Chrome Extensions - LIVEcommunity - 519888 (pal...

  • 2930 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!