From 893766efddf175a0c65749c3bca1cf4ee60f8222 Mon Sep 17 00:00:00 2001 From: Brock Walters <153771548+nonpunctual@users.noreply.github.com> Date: Fri, 31 May 2024 12:02:06 -0400 Subject: [PATCH] Update chrome_extensions.yml (#19397) Please check the new scalar is working correctly. I am going to have to do a PR on the authdb table because some of the markdown syntax is showing on the updated page. Thanks! --------- Co-authored-by: Eric --- schema/tables/chrome_extensions.yml | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/schema/tables/chrome_extensions.yml b/schema/tables/chrome_extensions.yml index 37a2a0a768..736ffdab6a 100644 --- a/schema/tables/chrome_extensions.yml +++ b/schema/tables/chrome_extensions.yml @@ -4,22 +4,36 @@ platforms: - windows - linux - chrome -description: Installed extensions (plugins) for [Chromium-based](https://en.wikipedia.org/wiki/Chromium_(web_browser)) browsers, including [Google Chrome](https://en.wikipedia.org/wiki/Google_Chrome), [Edge](https://en.wikipedia.org/wiki/Microsoft_Edge), [Brave](https://en.wikipedia.org/wiki/Brave_(web_browser)), [Opera](https://en.wikipedia.org/wiki/Opera_(web_browser)), and [Yandex](https://en.wikipedia.org/wiki/Yandex_Browser). -examples: |- +description: The `chrome_extensions` table maps browser extensions installed in [Chromium](https://en.wikipedia.org/wiki/Chromium_(web_browser)) browsers like [Google Chrome](https://en.wikipedia.org/wiki/Google_Chrome), [Edge](https://en.wikipedia.org/wiki/Microsoft_Edge), [Brave](https://en.wikipedia.org/wiki/Brave_(web_browser)), [Opera](https://en.wikipedia.org/wiki/Opera_(web_browser)), and [Yandex](https://en.wikipedia.org/wiki/Yandex_Browser). +examples: |- + + Because browser data lives in user space, this query uses a join to include a UID: + ``` SELECT * FROM users CROSS JOIN chrome_extensions USING (uid); ``` - List Chrome extensions by user and profile which have full access to HTTPS - browsing. + This query shows Chrome extensions that have full access to HTTPS browsing; ``` SELECT u.username, ce.name, ce.description, ce.version, ce.profile, ce.permissions FROM users u CROSS JOIN chrome_extensions ce USING (uid) WHERE ce.permissions LIKE '%%https://*/*%%'; ``` + notes: |- Querying this table requires joining against the `users` table. [Learn more](https://fleetdm.com/guides/osquery-consider-joining-against-the-users-table) On ChromeOS, this table requires the [fleetd Chrome extension](https://fleetdm.com/docs/using-fleet/chromeos). + + Examples of [malicious Chrome extensions](https://palant.info/2023/06/08/another-cluster-of-potentially-malicious-chrome-extensions/) + + Loosely restricted extension permissions can be an [indicator of malicious intent](https://developer.chrome.com/docs/extensions/reference/api/permissions) + + Tracking browser extensions in an organization can help with: + + - Compliance audits: Ensure extensions comply with company policies + - Security training: Educate users about Chrome extension risks + - Incident response: Identify suspicious or vulnerable extensions + columns: - name: uid platforms: