- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
01-02-2024 08:55 PM
How I detect VPN extensions in browser ( like, EDGE, Chrome, Firefox, Brave)? with XQL query.
01-03-2024 01:59 AM
Hi @Prashanta ,
In my humble opinion there is no way to detect browser extensions using the XQL.
Generally speaking XQL gives you a way to search/query the event logs. XDR is doing really great job by collecting information which process is generating the network traffic. But this means that those logs will only show that "FireFox is trying to access surfshark.com" (for example), it will not tell if the user is trying to open the page or there is browser extension that is trying to make the connection.
Long time ago I tried to achieve something similar - List/Detect browser extensions on endpoint from CortexXDR
What I did is I tried to create custom python script that I imported in XDR.
The script was basically searching for the directory where the three most common browsers keep their extensions and read the manifest file and print out the name and the extension ID. My idea was as next step to check the ID agains a list of known malicius IDs like https://github.com/mallorybowes/chrome-mal-ids, but I never complete this.
I am not sure if my approach was the best, but in my understanding it is the only one since the Operating System does not make difference if FireFox is trying to connect to VPN because there is extension installed or just user accessing a web page.
01-03-2024 02:23 AM
Thanks for the reply. currently I find something and trying to follow this process, it usually detects some .crx name extension which is exist on some endpoint. Maybe it will help to u also. Please share you opinion.
link :
LIVEcommunity - Cortex XDR PoC: Monitoring Malicious Chrome Extensions - LIVEcommunity - 519888 (pal...
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!