Microsoft Defender Alert Details
Alert ID: MD-BROWSER-EXT-1176-7842
Alert Time: 2024-02-16 09:30:15 EST
Severity: MEDIUM (72/100)
Source: Microsoft Defender for Endpoint
Rule: “Suspicious Browser Extension Installed”
MITRE ATT&CK: T1176 – Browser Extensions
Alert Details:
Detection: Unauthorized browser extension installed with broad permissions
Host: SLS-WS-045 (Sales Department)
User: mwilson (Mike Wilson, Sales Rep)
Browser: Google Chrome
Time: 09:25 EST
Extension Details:
– Name: “Google Docs Offline Helper”
– ID: gdoc-offline-helper-12345
– Source: Chrome Web Store (external)
– Install Time: 09:24:30 EST
– Permissions Requested:
– Read and change all data on websites
– Access browsing history
– Manage downloads
– Communicate with cooperating native applications
Installation Source:
– User clicked pop-up on news-site during browsing
– Pop-up claimed “Chrome update required”
– Extension downloaded and installed automatically
Behavior Analysis:
– Extension has since:
– Exfiltrated browsing history to 185.143.221[.]89:8080
– Injected ads into search results
– Captured keystrokes on banking sites
– Downloaded additional JavaScript payloads
Threat Intelligence:
– Extension matches known “AdsExhaust” ad fraud campaign
– Used to steal credentials and browsing data
– Similar extensions installed on 3 other hosts
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Defender alert
Microsoft 365 Defender
Confirmed malicious extension installation
2. Extension Analysis
Extract and analyze extension code
Chrome Extension Inspector, Sandbox
Extension contains data exfiltration and keylogging code
3. Network Check
Check for data exfiltration
Zscaler Logs, Firewall
History data sent to 185.143.221[.]89:8080
4. Immediate Action
Remove extension from host
Chrome Management, PowerShell
Extension uninstalled from affected host
5. Enterprise-wide Check
Search for same extension on other hosts
Defender Advanced Hunting
3 other hosts with same extension found
6. User Notification
Notify affected users
Email, Teams
All users contacted; passwords reset
Jira Incident Report
Ticket: SOC-2024-081
Summary: T1176 – Malicious Browser Extension Installed via Fake Update
Status: RESOLVED
Resolution: MALICIOUS – Extension Removed
Priority: P2 – MEDIUM
Labels: T1176, browser-extensions, chrome, defender, data-exfiltration
Components: Endpoint-Security, Browser-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Microsoft Defender for Endpoint.
Alert: “Suspicious Browser Extension Installed”.
Host: SLS-WS-045 (Sales Department, user mwilson).
Time: 2024-02-16 09:30 EST.
Technique: MITRE ATT&CK T1176 – Browser Extensions.
2. Technical Analysis:
Attack Chain:
09:20 – User visits news-site.com
09:21 – Malicious pop-up appears: “Chrome update required”
09:22 – User clicks “Update Now”
09:23 – Chrome downloads extension from Chrome Web Store (legitimate store, malicious extension)
09:24 – Extension installed with broad permissions
09:25 – Defender alerts based on behavior
Extension Analysis:
Name: “Google Docs Offline Helper” (masquerading)
ID: gdoc-offline-helper-12345
Permissions: Read/write to all sites, history, downloads, native messaging
Malicious Functions:
Exfiltrates browsing history to C2 every 5 minutes
Injects ads into search results (ad fraud)
Captures keystrokes on banking sites (Bank of America, Chase, etc.)
Downloads additional JavaScript from C2
Data Exfiltrated:
Browsing history (last 7 days)
Saved passwords (from browser password manager)
Cookies (session hijacking)
Scope:
4 hosts total affected (all in Sales department)
All installed same extension
3. Investigation Findings:
Timeline:
09:20 – User visits news site
09:24 – Extension installed
09:25 – Defender alert
09:27 – SOC investigation begins
09:30 – Host isolated; extension removed
09:45 – Enterprise-wide hunt finds 3 more hosts
Indicators of Compromise (IoCs):
Extension:
– Name: “Google Docs Offline Helper”
– ID: gdoc-offline-helper-12345
Network:
– C2: 185.143.221[.]89:8080
Hosts:
– SLS-WS-045, SLS-WS-046, SLS-WS-047, SLS-WS-048
4. Containment Actions:
Immediate Actions:
Removed extension from all affected hosts via PowerShell.
Cleared browser data (history, cookies, saved passwords).
Isolated hosts temporarily for scanning.
Blocked C2 IP at firewall.
User Remediation:
All affected users forced password reset.
Users educated on fake browser updates.
Browser settings reset to default.
Enterprise-wide:
Blocked extension ID via Chrome GPO (ExtensionInstallBlocklist).
Deployed Chrome cleanup tool to all hosts.
5. Root Cause Analysis:
Primary Cause: User clicked fake browser update pop-up.
Contributing Factors:
Chrome allowed extension install without admin approval.
No extension allowlist/blocklist in place.
User unaware of fake update scams.
6. Business Impact:
Operational Impact: 4 sales workstations offline for 2 hours.
Data Exposure: Browsing history, saved passwords (all passwords reset).
Financial Impact: Potential ad fraud costs (minimal).
7. Remediation & Prevention:
Completed Actions:
Extensions removed.
Passwords reset.
C2 blocked.
Technical Controls Enhanced:
Implemented Chrome extension allowlist (only approved extensions).
Blocked all extensions from external sources via GPO.
Enabled Defender alerting for any new extension installations.
Deployed browser isolation for high-risk browsing.
8. Conclusion:
Users in the Sales department installed a malicious Chrome extension after clicking a fake update pop-up. The extension exfiltrated browsing data and captured keystrokes. Defender detected the extension based on behavior, enabling rapid removal and password resets.
Closure Rationale: Extensions removed; passwords reset; controls enhanced.
Analyst: [Walter White], SOC Analyst
Date: 2024-02-16 11:00 EST