Fix typo and add remote installation of chromium extension (blog soon)

LasCC · web-flow · commit 4eafb60c4c7a · 2025-09-03T11:59:31.000-04:00
diff --git a/s1_powerquery_hunting.json b/s1_powerquery_hunting.json
@@ -318,7 +318,7 @@
     {
         "category": "Execution & TTPs",
         "name": "Execution From Suspicious Folder",
-        "query": "((src.process.image.path contains:anycase 'C:\\\\Perflogs\\\\' OR src.process.image.path contains:anycase '\\\\$Recycle.bin\\\\' OR src.process.image.path contains:anycase '\\\\config\\\\systemprofile\\\\' OR src.process.image.path contains:anycase '\\\\Intel\\\\Logs\\\\' OR src.process.image.path contains:anycase '\\\\RSA\\\\MachineKeys\\\\' OR src.process.image.path contains:anycase '\\\\Users\\\\All Users\\\\' OR src.process.image.path contains:anycase '\\\\Users\\\\Default\\\\' OR src.process.image.path contains:anycase '\\\\Users\\\\NetworkService\\\\' OR src.process.image.path contains:anycase '\\\\Users\\\\Public\\\\' OR src.process.image.path contains:anycase '\\\\Windows\\\\addins\\\\' OR src.process.image.path contains:anycase '\\\\Windows\\\\debug\\\\' OR src.process.image.path contains:anycase '\\\\Windows\\\\Fonts\\\\' OR src.process.image.path contains:anycase '\\\\Windows\\\\Help\\\\' OR src.process.image.path contains:anycase '\\\\Windows\\\\IME\\\\' OR src.process.image.path contains:anycase '\\\\Windows\\\\Media\\\\' OR src.process.image.path contains:anycase '\\\\Windows\\\\repair\\\\' OR src.process.image.path contains:anycase '\\\\Windows\\\\security\\\\' OR src.process.image.path contains:anycase '\\\\Windows\\\\System32\\\\Tasks\\\\' OR src.process.image.path contains:anycase '\\\\Windows\\\\Tasks\\\\') AND NOT (src.process.image.path contains:anycase 'firefox' OR src.process.image.path contains:anycase 'citrix' OR src.process.image.path contains:anycase 'splunkd.exe' OR src.process.image.path contains:anycase 'ldapadmin.exe' OR src.process.image.path contains:anycase 'acslaunch_win' OR src.process.image.path contains:anycase 'gotoassist'))\n| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count() by endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.cmdline, src.process.image.path\n| let _firstSeenNs = _FirstSeenMs * 1000000\n| let _lastSeenNs = _LastSeenMs * 1000000\n| columns  \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.cmdline, src.process.image.path, Count\n| sort -Count\n| limit 100000"
+        "query": "((src.process.image.path contains:anycase 'C:\\\\Perflogs\\\\' OR src.process.image.path contains:anycase '\\\\$Recycle.bin\\\\' OR src.process.image.path contains:anycase '\\\\config\\\\systemprofile\\\\' OR src.process.image.path contains:anycase '\\\\Intel\\\\Logs\\\\' OR src.process.image.path contains:anycase '\\\\RSA\\\\MachineKeys\\\\' OR src.process.image.path contains:anycase '\\\\Users\\\\All Users\\\\' OR src.process.image.path contains:anycase '\\\\Users\\\\Default\\\\' OR src.process.image.path contains:anycase '\\\\Users\\\\NetworkService\\\\' OR src.process.image.path contains:anycase '\\\\Users\\\\Public\\\\' OR src.process.image.path contains:anycase '\\\\Windows\\\\addins\\\\' OR src.process.image.path contains:anycase '\\\\Windows\\\\debug\\\\' OR src.process.image.path contains:anycase '\\\\Windows\\\\Fonts\\\\' OR src.process.image.path contains:anycase '\\\\Windows\\\\Help\\\\' OR src.process.image.path contains:anycase '\\\\Windows\\\\IME\\\\' OR src.process.image.path contains:anycase '\\\\Windows\\\\Media\\\\' OR src.process.image.path contains:anycase '\\\\Windows\\\\repair\\\\' OR src.process.image.path contains:anycase '\\\\Windows\\\\security\\\\' OR src.process.image.path contains:anycase '\\\\Windows\\\\System32\\\\Tasks\\\\' OR src.process.image.path contains:anycase '\\\\Windows\\\\Tasks\\\\') AND NOT (src.process.image.path contains:anycase 'firefox' OR src.process.image.path contains:anycase 'citrix' OR src.process.image.path contains:anycase 'splunkd.exe' OR src.process.image.path contains:anycase 'ldapadmin.exe' OR src.process.image.path contains:anycase 'acslaunch_win' OR src.process.image.path contains:anycase 'gotoassist' OR src.process.user contains:anycase (\"system\",\"syst\u00e8me\")))\n| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count() by endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.cmdline, src.process.image.path\n| let _firstSeenNs = _FirstSeenMs * 1000000\n| let _lastSeenNs = _LastSeenMs * 1000000\n| columns  \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.cmdline, src.process.image.path, Count\n| sort -Count\n| limit 100000"
     },
     {
         "category": "Defense Evasion",
@@ -384,5 +384,10 @@
         "category" : "Exfiltration",
         "name": "Robocopy - Suspicious Copy From or To System Directory",
         "query": "((src.process.name contains:anycase 'robocopy.exe' OR src.process.name contains:anycase 'xcopy.exe') OR\n(src.process.name contains:anycase 'cmd.exe' AND src.process.cmdline contains:anycase 'copy ') OR\n((src.process.name contains:anycase 'powershell.exe' OR src.process.name contains:anycase 'pwsh.exe') AND\n (src.process.cmdline contains:anycase 'copy-item' OR src.process.cmdline contains:anycase ' copy ' OR src.process.cmdline contains:anycase 'cpi ' OR src.process.cmdline contains:anycase ' cp '))) AND\n(src.process.cmdline contains:anycase '\\\\System32' OR src.process.cmdline contains:anycase '\\\\SysWOW64' OR src.process.cmdline contains:anycase '\\\\WinSxS')\n| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count() by endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.cmdline\n| let _firstSeenNs = _FirstSeenMs * 1000000\n| let _lastSeenNs = _LastSeenMs * 1000000\n| columns \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.cmdline, Count\n| sort -Count\n| limit 100000"
+    },
+    {
+        "category" : "Command & Control",
+        "name": "Remote installation of custom chrome extensions",
+        "query": "endpoint.os = \"windows\" #filepath contains:anycase \"secure preferences\" event.type contains:anycase (\"File Creation\",\"File Modification\") NOT (src.process.name contains:anycase (\"chrome\",\"edege\",\"spotify\",\"opera\",\"brave\",\"msedgewebview2\"))\n| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count() by endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.cmdline, src.process.image.path\n| let _firstSeenNs = _FirstSeenMs * 1000000\n| let _lastSeenNs = _LastSeenMs * 1000000\n| columns  \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.cmdline, src.process.image.path, Count\n| sort -Count\n| limit 100000"
     }
 ]

Original file line number	Diff line number	Diff line change
`@@ -318,7 +318,7 @@`
`318`	`318`	`{`
`319`	`319`	`"category": "Execution & TTPs",`
`320`	`320`	`"name": "Execution From Suspicious Folder",`
`321`		- "query": "((src.process.image.path contains:anycase 'C:\\\\Perflogs\\\\' OR src.process.image.path contains:anycase '\\\\$Recycle.bin\\\\' OR src.process.image.path contains:anycase '\\\\config\\\\systemprofile\\\\' OR src.process.image.path contains:anycase '\\\\Intel\\\\Logs\\\\' OR src.process.image.path contains:anycase '\\\\RSA\\\\MachineKeys\\\\' OR src.process.image.path contains:anycase '\\\\Users\\\\All Users\\\\' OR src.process.image.path contains:anycase '\\\\Users\\\\Default\\\\' OR src.process.image.path contains:anycase '\\\\Users\\\\NetworkService\\\\' OR src.process.image.path contains:anycase '\\\\Users\\\\Public\\\\' OR src.process.image.path contains:anycase '\\\\Windows\\\\addins\\\\' OR src.process.image.path contains:anycase '\\\\Windows\\\\debug\\\\' OR src.process.image.path contains:anycase '\\\\Windows\\\\Fonts\\\\' OR src.process.image.path contains:anycase '\\\\Windows\\\\Help\\\\' OR src.process.image.path contains:anycase '\\\\Windows\\\\IME\\\\' OR src.process.image.path contains:anycase '\\\\Windows\\\\Media\\\\' OR src.process.image.path contains:anycase '\\\\Windows\\\\repair\\\\' OR src.process.image.path contains:anycase '\\\\Windows\\\\security\\\\' OR src.process.image.path contains:anycase '\\\\Windows\\\\System32\\\\Tasks\\\\' OR src.process.image.path contains:anycase '\\\\Windows\\\\Tasks\\\\') AND NOT (src.process.image.path contains:anycase 'firefox' OR src.process.image.path contains:anycase 'citrix' OR src.process.image.path contains:anycase 'splunkd.exe' OR src.process.image.path contains:anycase 'ldapadmin.exe' OR src.process.image.path contains:anycase 'acslaunch_win' OR src.process.image.path contains:anycase 'gotoassist'))\n\| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count() by endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.cmdline, src.process.image.path\n\| let _firstSeenNs = _FirstSeenMs * 1000000\n\| let _lastSeenNs = _LastSeenMs * 1000000\n\| columns \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.cmdline, src.process.image.path, Count\n\| sort -Count\n\| limit 100000"
	`321`	+ "query": "((src.process.image.path contains:anycase 'C:\\\\Perflogs\\\\' OR src.process.image.path contains:anycase '\\\\$Recycle.bin\\\\' OR src.process.image.path contains:anycase '\\\\config\\\\systemprofile\\\\' OR src.process.image.path contains:anycase '\\\\Intel\\\\Logs\\\\' OR src.process.image.path contains:anycase '\\\\RSA\\\\MachineKeys\\\\' OR src.process.image.path contains:anycase '\\\\Users\\\\All Users\\\\' OR src.process.image.path contains:anycase '\\\\Users\\\\Default\\\\' OR src.process.image.path contains:anycase '\\\\Users\\\\NetworkService\\\\' OR src.process.image.path contains:anycase '\\\\Users\\\\Public\\\\' OR src.process.image.path contains:anycase '\\\\Windows\\\\addins\\\\' OR src.process.image.path contains:anycase '\\\\Windows\\\\debug\\\\' OR src.process.image.path contains:anycase '\\\\Windows\\\\Fonts\\\\' OR src.process.image.path contains:anycase '\\\\Windows\\\\Help\\\\' OR src.process.image.path contains:anycase '\\\\Windows\\\\IME\\\\' OR src.process.image.path contains:anycase '\\\\Windows\\\\Media\\\\' OR src.process.image.path contains:anycase '\\\\Windows\\\\repair\\\\' OR src.process.image.path contains:anycase '\\\\Windows\\\\security\\\\' OR src.process.image.path contains:anycase '\\\\Windows\\\\System32\\\\Tasks\\\\' OR src.process.image.path contains:anycase '\\\\Windows\\\\Tasks\\\\') AND NOT (src.process.image.path contains:anycase 'firefox' OR src.process.image.path contains:anycase 'citrix' OR src.process.image.path contains:anycase 'splunkd.exe' OR src.process.image.path contains:anycase 'ldapadmin.exe' OR src.process.image.path contains:anycase 'acslaunch_win' OR src.process.image.path contains:anycase 'gotoassist' OR src.process.user contains:anycase (\"system\",\"syst\u00e8me\")))\n\| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count() by endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.cmdline, src.process.image.path\n\| let _firstSeenNs = _FirstSeenMs * 1000000\n\| let _lastSeenNs = _LastSeenMs * 1000000\n\| columns \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.cmdline, src.process.image.path, Count\n\| sort -Count\n\| limit 100000"
`322`	`322`	`},`
`323`	`323`	`{`
`324`	`324`	`"category": "Defense Evasion",`
`@@ -384,5 +384,10 @@`
`384`	`384`	`"category" : "Exfiltration",`
`385`	`385`	`"name": "Robocopy - Suspicious Copy From or To System Directory",`
`386`	`386`	"query": "((src.process.name contains:anycase 'robocopy.exe' OR src.process.name contains:anycase 'xcopy.exe') OR\n(src.process.name contains:anycase 'cmd.exe' AND src.process.cmdline contains:anycase 'copy ') OR\n((src.process.name contains:anycase 'powershell.exe' OR src.process.name contains:anycase 'pwsh.exe') AND\n (src.process.cmdline contains:anycase 'copy-item' OR src.process.cmdline contains:anycase ' copy ' OR src.process.cmdline contains:anycase 'cpi ' OR src.process.cmdline contains:anycase ' cp '))) AND\n(src.process.cmdline contains:anycase '\\\\System32' OR src.process.cmdline contains:anycase '\\\\SysWOW64' OR src.process.cmdline contains:anycase '\\\\WinSxS')\n\| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count() by endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.cmdline\n\| let _firstSeenNs = _FirstSeenMs * 1000000\n\| let _lastSeenNs = _LastSeenMs * 1000000\n\| columns \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.cmdline, Count\n\| sort -Count\n\| limit 100000"
	`387`	`+ },`
	`388`	`+ {`
	`389`	`+ "category" : "Command & Control",`
	`390`	`+ "name": "Remote installation of custom chrome extensions",`
	`391`	+ "query": "endpoint.os = \"windows\" #filepath contains:anycase \"secure preferences\" event.type contains:anycase (\"File Creation\",\"File Modification\") NOT (src.process.name contains:anycase (\"chrome\",\"edege\",\"spotify\",\"opera\",\"brave\",\"msedgewebview2\"))\n\| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count() by endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.cmdline, src.process.image.path\n\| let _firstSeenNs = _FirstSeenMs * 1000000\n\| let _lastSeenNs = _LastSeenMs * 1000000\n\| columns \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.cmdline, src.process.image.path, Count\n\| sort -Count\n\| limit 100000"
`387`	`392`	`}`
`388`	`393`	`]`