Google Chrome has become unanimous among all computer users and so, it has become a focus for the adversaries and a valuable resource for the DFIR folks. Knowing what information Chrome logs and are embedded within the configuration files can prove to be a critical asset for troubleshooting, forensics, SOC user-profiling use cases, etc. Understanding the web browser state for a defender could mean that they could identify risky users and prevent a potential security incident. On the other hand, an attacker could use the browser state information to craft a spear phishing campaign or lure with an offer that’s too good to be true based on the target’s psychological profile.
Here are some of the data points or “use cases” for Chrome that has helped me in the past during routine threat hunting, user risk profiling and sometimes during a post breach Incident Response situation.
1. C:\Users\<USER>\AppData\Local\Google\Chrome\User Data\Default\History
It’s an SQLite file that has information like browser history (URLs visited), visit count, Keywords searched, last visit time, visit duration, Downloads performed etc. Use a tool like SQLite Viewer to view the contents of this file. Make sure to select the specific table from the database file using the dropdown available. We can match the URL_ID from the URLs table to resolve the Visits table.
Note that the last_visit_time is not in a standard human readable format. Use something similar to EpochConverter to convert the webkit standard time to your time zone. Other information like the dwell time can also be found here.
2. C:\Users\<USER>\AppData\Local\Google\Chrome\User Data\Default\Preferences
The Preferences file is a text file that is dynamically accessed and written by the Chrome browser process threads. You can open the file using any text editors but I prefer using tools like codebeautify or jsonParser as it’s easier on the eye. I personally save all these tools in HTML format and have it in my repository so I can use it on my VMs without needing to have an internet connection.
“Extensions”
Malicious chrome extensions, or code injections into legit extensions have become popular recently and you might see suspicious traffic originating from the chrome browser every time a user opens chrome for the first time of a day. You’ll need to collect the extension IDs and verify if they are legit on the Google Chrome Web store.
Collecting Extension IDs
You can collect extension IDs by the following methods:
Through the Chrome Preferences file of that user machine (see image abov
This method of extension ID collection is preferred as the most common resource we (security analysts) have is an EDR (Endpoint Detection and Response) tool and not remote access or GUI of the chrome browser.
Browse to the path: C:\Users\<USERNAME>\AppData\Local\Google\Chrome\User Data\Default\Extensions\<IDs> and the folder names are the extension IDs
Execute on the browser search bar - chrome://extensions/ (if you have physical/remote access to the machine) to display all the extensions and their status if they are enabled or disabled on the Google Chrome UI.
This method is useful for first responders like a service desk analyst or Desktop services teams to perform initial checks. Be cautious that some of the extensions can be hidden and will not be displayed using this method.
Resolving Chrome extension IDs
The easiest way to resolve the IDs collected using the above technique is to have a chrome tab open with the below URL and replace <paste-ID-here> with the IDs and repeat the same process.
https://chrome.google.com/webstore/category/extensions/<paste-ID-here>
The expected behavior for a benign extension is that it takes you to the landing page of that extension. You might also come across extensions that are questionable like: youtube-video-downloader or flash-update which are categorized as PUAs and could interfere or disrupt the user browsing experience with Ads, etc. It’s up to the analyst to determine which ones to flag and which ones are benign based on the organisation’s security or usage policies.
If the URL returns a 404 page for a specific ID, then do further research into them. Usually, they are taken down by chrome due to security / privacy breaches or the extension is no longer on the Chrome Web Store due to the author pulling it. Either reason is a red flag as the code will no longer be vetted by Google and can have exploitable vulnerabilities and or malicious intents.
Note that some of the extensions are now built into chrome and no longer available in the store. Recommend doing your due diligence before flagging a specific extension ID as malicious and the OSINT available on the list of suspicious chrome extensions is outdated and unreliable. Maintain your own list of extension IDs and the respective extension names and build a script to perform the initial 404 return checks and exclude IDs from your list if this is a hunt you suspect will be doing a lot.
3. C:\Users\<user>\AppData\Local\Google\Chrome\User Data\Default\favicon
Favicons are used in toolbar apps, browser tabs, bookmarks dropdown, browser history, search bar, and search bar recommendations. While it is rare for users to clear these cached image files, the favicon file can be used for recon as the entries in the favicon file is far more than any other history / site_visited files. While this is a long route, the favicons table holds unique entries and can be used to profile users or attribute a traffic originating through chrome user interactions.
4. C:\Users\<user>\AppData\Local\Google\Chrome\User Data\Default\Web Data
Web Data holds some of the most sensitive information regarding the user. An attacker having access to this file could mean that they hold most of the Personally identifiable information (PII) of the target like autofill_addresses, credit_cards and other vital details. Remember Chrome popping up an autofill dialog box for your user_name, credit card number, SSN or addresses ? Well, all those details are fetched from this file and it is in plain text for anyone to read.
5. C:\Users\<user>\AppData\Local\Google\Chrome\User Data\Default\Login Data
As the name suggests, this file has all the credentials of websites that you have allowed chrome to save. While the password column is encrypted, they are not hard to decode 😊
While there are other interesting information that can be extracted from chrome configs and cached files, I hope this article gives you the idea. There are numerous use cases that can be extracted using these artifacts, an EDR like solution and an SIEM to match targeted flags.
A list of known benign / suspicious extension IDs mapped to their names:
***the list will be updated continuously***
hdokiejnpimakedhajhdlcegeplioahd - LastPass: Free Password Manager
ghbmnnjooekpmoecnnnilnnbdlolhkhi - Google Docs Offline
felcaaldnbdncclmgdcncolpebgiejap - Sheets
blpcfgokakmgnkcojhhkbfbldkacnbeo - Youtube
apdfllckaahabafndbhieahigkjlhalf - Google Drive
aohghmighlieiainnegkcijnfilokake - Docs
chhjbpecpncaggjpdakmflnfcopglcmi - Rakuten: Get Cash Back For Shopping
nakplnnackehceedgkgkokbgbmfghain = Fakespot Fake Amazon Reviews and eBay Sellers
oocalimimngaihdkbihfgmpkcpnmlaoa - Netflix Party is now Teleparty
efaidnbmnnnibpcajpcglclefindmkaj - Adobe Acrobat: PDF edit, convert, sign tools
nmmhkkegccagdldgiimedpiccmgmieda = Chrome PDF Viewer / Chrome Web Store Payments [HIDDEN] //benign
aapocclcgogkmnckokdopfmhonfmgoek - Slides
pkedcjkdefgpdelpbcmbmeomcjbeemfm - Chromecast
pjkljhegncpnkpknbcohdijeoejaedia - Gmail
glnpjglilkicbckjpbgcfkogebgllemb - Okta Browser Plugin
ecnphlgnajanjnkcmbpancdjoidceilk - Kami for Google Chrome™
nkbihfbeogaeaoehlefnkodbefgpgknn - MetaMask
kbfnbcaeplbcioakkpcpgfkobkghlhen - Grammarly: Grammar Checker and Writing App
hehijbfgiekmjfkfjpbkbammjbdenadd - IE Tab (Display web pages using IE within Chrome)
jlhmfgmfgeifomenelglieieghnjghma - Cisco Webex Extension
aeblfdkhhhdcdjpifhhbdiojplfjncoa - 1Password – Password Manager
gighmmpiobklfepjocnamgkkbiglidom - AdBlock — best ad blocker
efaidnbmnnnibpcajpcglclefindmkaj : Adobe Acrobat
ghbmnnjooekpmoecnnnilnnbdlolhkhi : Google Docs Offline
fkepacicchenbjecpbpbclokcabebhah : iCloud Bookmarks
bfgjjammlemhdcocpejaompfoojnjjfn : PrinterLogic Extension v1.0.5.10
aohghmighlieiainnegkcijnfilokake : Google Docs
felcaaldnbdncclmgdcncolpebgiejap : Google Sheets
aapocclcgogkmnckokdopfmhonfmgoek : Google Slides
cfhdojbkjhnklbpkdaibdccddilifddb : Adblock Plus - free ad blocker
lmjegmlicamnimmfhcmpkclmigmmcbeh : Application Launcher For Drive (by Google)
jlhmfgmfgeifomenelglieieghnjghma : Cisco Webex Extension
bkdgflcldnnnapblkhphbgpggdiikppg : DuckDuckGo Privacy Essentials
ghbmnnjooekpmoecnnnilnnbdlolhkhi : Google Docs Offline
nckgahadagoaajjgafhacjanaoiihapd : Google Hangouts
ndjpnladcallmjemlbaebfadecfhkepb : Office
fbjmgnganbipamiabcghalelihkicnnl : SqueakJS
cencaidajimabeobnfgcapbcidabdnfb : Perfect Maps And Directions
lpcaedmchfhocbbapmcbpinfpgnhiddi : Google Keep Chrome Extension
kgjfgplpablkjnlkjmjdecgdpfankdle : Zoom Scheduler
hgmloofddffdnphfgcellkdfbfbjeloo : Advanced REST client
kbfnbcaeplbcioakkpcpgfkobkghlhen : Grammarly for Chrome
mhkhmbddkmdggbhaaaodilponhnccicb : TubeBuddy
ahfgeienlihckogmohjhadlkjgocpleb : Web Store
neajdppkdcdipfabeoofebfddakdcjhd : Google Network Speech
nkeimhogjdpnpccoofpliimaahmaaome : Google hangouts
,'aapocclcgogkmnckokdopfmhonfmgoek', 'Google Slides')
,'aohghmighlieiainnegkcijnfilokake', 'Google Docs')
,'ejjicmeblgpmajnghnpcppodonldlgfn', 'Google Calendar') #old extension
,'ghbmnnjooekpmoecnnnilnnbdlolhkhi', 'Google Docs')
,'apdfllckaahabafndbhieahigkjlhalf', 'Google Drive')
,'blpcfgokakmgnkcojhhkbfbldkacnbeo', 'Youtube')
,'felcaaldnbdncclmgdcncolpebgiejap', 'Google Sheets')
,'nmmhkkegccagdldgiimedpiccmgmieda', 'Google Chrome Web Store')
,'pjkljhegncpnkpknbcohdijeoejaedia', 'Gmail')
,'pkedcjkdefgpdelpbcmbmeomcjbeemfm', 'Chromecast')
,'coobgpohoikkiipiblmjeljniedjpjpf', 'Google Search')
,'aapbdbdomjkkjkaonfhkkikfgjllcleb', 'Google Translate')
#Password Managers
,'fdjamakpfbbddfjaooikfcpapjohcfmg', 'Dashlane Password Manager')
,'hdokiejnpimakedhajhdlcegeplioahd', 'LastPass Password Manager')
,'lpdfbkehegfmedglgemnhbnpmfmioggj', 'ThinkVantage Password Manager')
#Other 3rd Party Extensions
,'efaidnbmnnnibpcajpcglclefindmkaj', 'Adobe Acrobat')
,'jlhmfgmfgeifomenelglieieghnjghma', 'Cisco Webex')
,'fceempjejlfaadkgdacpfhheknndlcjl', 'Cisco Webex App for Chrome')
,'ceopoaldcnmhechacafgagdkklcogkgd', 'OnlineMapFinder')
,'menkifleemblimdogmoihpfopnplikde', 'Line - Instant Messaging') #https://chrome.google.com/webstore/detail/line/menkifleemblimdogmoihpfopnplikde?hl=en
,'njabckikapfpffapmjgojcnbfjonfjfg', 'Cookies.txt by Genuinous') # https://chrome.google.com/webstore/detail/cookiestxt/njabckikapfpffapmjgojcnbfjonfjfg
,'hpfmedbkgaakgagknibnonpkimkibkla', 'CRM For Gmail') # https://chrome.google.com/webstore/detail/crm-for-gmail/hpfmedbkgaakgagknibnonpkimkibkla?hl=en
,'jadhamcfimejpbemfkgoeijaimpciehj', 'YourTemplateFinder') # https://chrome.google.com/webstore/detail/yourtemplatefinder/jadhamcfimejpbemfkgoeijaimpciehj?hl=en
,'bkfmkomnkbkkdehmnmabbgbdpcolmddh', 'New Tab Redirect') # https://chrome.google.com/webstore/detail/new-tab-redirect/icpgjfneehieebagbmdbhnlpiopdcmna?hl=en
#Potential Unwanted Extensions
,'bmnlcjabgnpnenekpadlanbbkooimhnj', 'Honey - Shopping Extension / Honey: Automatic Coupons & Rewards)
,'gihfmmedoddijgnhkgfgnkeohkpbipol', 'Yahoo Web')
,'commhkacjheiacaopdonmodahaoadoln', 'Yahoo Partner')
,'mgkjffcdjblaipglnmhanakilfbniihj', 'Earbits')
,'jafmombbhklnagadfbfplohhgljimdjg', 'Convert to PDF now')
,'aaaaigmelgfmkfjicbbgbkcbagedejhj', 'Ask Networks')
,'aeaeigaepbpgiodmifdpnpdcbelfbmhg', 'Monster Math Flash Cards')
,'boeajhmfdjldchidhphikilcgdacljfm', 'Facebook')
,'dnflpnhpbffehddplcdlohealbgbbamk', 'PDFConverterHQ Toolbar')
,'djlgdeklopcjagknhlchbdjekgpgenad', 'DarkTheme') # https://chrome.google.com/webstore/detail/dark-theme-v3/djlgdeklopcjagknhlchbdjekgpgenad
,'mallpejgeafdahhflmliiahjdpgbegpk', 'FromDocToPDF') # https://chrome.google.com/webstore/detail/fromdoctopdf/mallpejgeafdahhflmliiahjdpgbegpk?hl=en-US
#Unwanted Extensions & Hijackers
,'ldhkdaoikclkecocioipjifepiiceeai', 'PUP- Searchpdf.com')
,'oehmgogbegigifcdjcalpcbcjbjfaiee', 'PUP- Spigot')
,'bddikhbjcannknadmcmeikpeiabhfbgl', 'PUP- Mindspark SearchFromOnline')
,'bhfhojbhbnajajgihpicejdalbjlpcep', 'PUP- WebExpEnhanced')
,'dofoafnmdocgkdphpkdooahjkhpmakjd', 'PUP- Dragonboost?')
,'bonccgihhlgaimmpbjfciihkgkoaplkb', 'PUP- Mindspark?')
,'cnllofdfhghjaomdikdlhmkoknfhjdga', 'PUP- Mindspark?')
,'klkbeieajgjehlcnoiflockodlbibaep', 'PUP- Search Encrypt')
,'heiihkmbceipememjjpggkaenngfkkjp', 'PUP- Search Encrypt')
,'fkgedicakildehepikeopegehmojomfk', 'PUP- Free Maps')
,'okkolgldfknecfjnhhglfopimelbaceh', 'PUP- BrowserAir')
,'kgfgkmglngfjihijajckoidgoglmajan', 'PUP- MapBeast by SaferBrowser')
,'panlddknfikdcilhdheajcdlcjndnpcp', 'PUP- ZipFileTab Browser Hijacker')
,'agijeemohccmknhbgdjokbeekmijlbee', 'PUP- search.hwatchtvnow.co')
,'ahigpjeolkfgjdaeodlmaceggigbpeoh', 'PUP - FB Unfriend Finder')
,'aaffhmecfaelkngcbnfdkcckmillnoki', 'PUP- Conduit?')
,'bepbmhgboaologfdajaanbcjmnhjmhfn', 'PUP- bepbmhgboa')
,'apgmlmclgkeaciocpcinelmgaenpobae', 'PUP- Searchpluspro')
,'fhkmacopackahlbnpcfijgphgoimpggb', 'PUP- MapsFrontier')
Very Risky Extensions // hijackers
Autoskip for Youtube lgjdgmdbfhobkdbcjnpnlmhnplnidkkp
Soundboost chmfnmjfghjpdamlofhlonnnnokkpbao
Crystal Ad block lklmhefoneonjalpjcnhaidnodopinib
Brisk VPN ciifcakemmcbbdpmljdohdmbodagmela
Clipboard Helper meljmedplehjlnnaempfdoecookjenph
Maxi Refresher lipmdblppejomolopniipdjlpfjcojob
Quick Translation lmcboojgmmaafdmgacncdpjnpnnhpmei
Easyview Reader view icnekagcncdgpdnpoecofjinkplbnocm
PDF toolbox bahogceckgcanpcoabcdgmoidngedmfo
Epsilon Ad blocker bkpdalonclochcahhipekbnedhklcdnp
Craft Cursors magnkhldhhgdlhikeighmhlhonpmlolk
Alfablocker ad blocker edadmcnnkkkgmofibeehgaffppadbnbi
Zoom Plus ajneghihjbebmnljfhlpdmjjpifeaokc
Base Image Downloader nadenkhojomjfdcppbhhncbfakfjiabp
Clickish fun cursors pbdpfhmbdldfoioggnphkiocpidecmbp
Cursor-A custom cursor hdgdghnfcappcodemanhafioghjhlbpb
Amazing Dark Mode fbjfihoienmhbjflbobnmimfijpngkpa
Maximum Color Changer for Youtube kjeffohcijbnlkgoaibmdcfconakaajm
Awesome Auto Refresh djmpbcihmblfdlkcfncodakgopmpgpgh
Venus Adblock obeokabcpoilgegepbhlcleanmpgkhcp
Adblock Dragon mcmdolplhpeopapnlpbjceoofpgmkahc
Readl Reader mode dppnhoaonckcimpejpjodcdoenfjleme
Volume Frenzy idgncaddojiejegdmkofblgplkgmeipk
Image download center deebfeldnfhemlnidojiiidadkgnglpi
Font Customizer gfbgiekofllpkpaoadjhbbfnljbcimoh
Easy Undo Closed Tabs pbebadpeajadcmaoofljnnfgofehnpeo
Screence screen recorder flmihfcdcgigpfcfjpdcniidbfnffdcf
OneCleaner pinnfpbpjancnbidnnhpemakncopaega
Repeat button iicpikopjmmincpjkckdngpkmlcchold
Leap Video Downloader bjlcpoknpgaoaollojjdnbdojdclidkh
Tap Image Downloader okclicinnbnfkgchommiamjnkjcibfid
Qspeed Video Speed Controller pcjmcnhpobkjnhajhhleejfmpeoahclc
HyperVolume hinhmojdkodmficpockledafoeodokmc
Light picture-in-picture gcnceeflimggoamelclcbhcdggcmnglm
If you enjoyed this content, please do leave a like ❤️ and use the comments field to share your thoughts, any relevant information that can help other readers or your findings!
Comments