KQL Search

Query Details

HomeAI ToolsDevice Query

Malicious Browser Extension Downloads Using Device File Events

Query

//Credit https://github.com/toborrm9/malicious_extension_sentry
let MaliciousExtensions = externaldata (ExtensionID: string) [@'https://raw.githubusercontent.com/toborrm9/malicious_extension_sentry/refs/heads/main/Malicious-Extensions.csv'] with (format=txt, ignoreFirstRecord = true)
| extend ExtensionID = split(ExtensionID,",")
| mv-expand ExtensionID
| extend ExtensionID = tostring(ExtensionID);
DeviceFileEvents
| where TimeGenerated > ago(90d)
| where ActionType == "FileCreated"
| where FileName endswith ".crx"
//| where InitiatingProcessFileName == "chrome.exe" //if you need to filter down to chrome vs edge
| where FolderPath contains "Webstore Downloads"
| extend ExtensionID = trim_end(@"_\d{2,6}.crx", FileName)
| extend ExtensionURL = strcat("https://chrome.google.com/webstore/detail/",ExtensionID)
| extend EdgeExtensionURL = strcat("https://microsoftedge.microsoft.com/addons/detail/",ExtensionID)
| summarize count() by ExtensionID,ExtensionURL, EdgeExtensionURL
| join kind=leftouter MaliciousExtensions on ExtensionID //if name is present in the risky list present it

Explanation

This query is designed to identify potentially malicious browser extensions that have been downloaded onto devices within the last 90 days. Here's a simplified breakdown of what the query does:

  1. Load Malicious Extensions List: It starts by loading a list of known malicious extension IDs from an external CSV file hosted on GitHub.

  2. Process Device File Events: It then examines device file events to find files that were created in the last 90 days. Specifically, it looks for files with the ".crx" extension, which are typically Chrome or Edge browser extensions.

  3. Filter by Download Location: The query filters these events to those where the file was downloaded from a web store, as indicated by the "Webstore Downloads" folder path.

  4. Extract Extension ID: It extracts the extension ID from the file name, removing any version numbers.

  5. Generate URLs: For each extension ID, it generates URLs for both the Chrome Web Store and the Microsoft Edge Add-ons site, which can be used to view more information about the extension.

  6. Summarize Data: The query summarizes the data by counting the occurrences of each extension ID and associating them with their respective URLs.

  7. Join with Malicious List: Finally, it performs a left outer join with the list of known malicious extensions. This means it will show all extensions found in the device file events, and if any of these extensions are in the malicious list, they will be highlighted.

Overall, this query helps in identifying and highlighting potentially harmful browser extensions that have been recently downloaded, by cross-referencing them with a known list of malicious extensions.

Details

Jay Kerai profile picture

Jay Kerai

Released: February 8, 2026

Tables

DeviceFileEvents

Keywords

DeviceFileEvents

Operators

letexternaldataextendsplitmv-expandtostringwhereagoendswithcontainstrim_endstrcatsummarizecountbyjoinon

Actions