VAULT 4624
SUCCESSFULL LOGIN DETECTED, WELCOME Vault Dweller

==================================================


>> You have chosen the INITIAL ACCESS segment of this terminal. Welcome! - In here, you'll hopefully find a variety of hunts and queries that are both aligned with initial access, and useful for your searches. Not all of the information you find here will be that of mine. All resources and credits will be applied appropriately to the authors.


>> To access the information, please select a subject from the list below:



INITIAL ACCESS


The following options will provide valuable insight into potential security threats and vulnerabilities within a network. Please select an option from the list to view the content.

>> Detecting Browser Extension Installations


>> FIREFOX


    On a Windows machine, the installation of a Firefox add-on triggers the following operations by the Firefox.exe process:
    


>> File Creation

    
    Files ‘myaddon’ and ‘myaddon.xpi’ appear in:

    C:\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*.default-esr\extensions\staged\



>> Add-on GUID in
 

    C:\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*.default-esr\storage\default\moz-extension+++(myaddonGUID)*



>> Image Loaded:

    
    C:\Program Files (x86)\Mozilla Firefox\xul.dll



>> Proxy Logs:

    
    URLs accessed:

    http://addons.mozilla.org

    http://addons.mozilla.org/firefox/downloads/file/*

    URLs ending with ".xpi"



>> CLI Installation (if occurred, check parent process):

    
    CommandLine: firefox -install-global-extension *.xpi



>> Extensions Information:

    
    Details available in extensions.json within the Firefox user profile.



>> CHROME


    The installation of a Chrome add-on leaves the following traces:

    

>> Download Process:

    
    chrome.exe loads BitsProxy.dll > svchost.exe loads bits*.dll > BITS downloads the add-on and logs events in “Microsoft-Windows-Bits-Client” with EventID 59 & 60.



>> URL Requests:

    
    URLs accessed:

    http://edgedl[.]me.gvt1[.]com/edgedl/release2/chrome_component/*.crx3

    http://edgedl[.]me.gvt1[.]com/edgedl/chromewebstore/*.crx

    https://clients2[.]google[.]com/service/update2/crx?*

    https://clients2[.]googleusercontent[.]com/crx/blobs/*.crx

    URLs ending with ".crx" or ".crx3" (if not downloaded from the Chrome Web Store)



>> File Creation:

    
    Upon BITS download completion, svchost.exe writes the .crx3 file to:

    C:\Program Files\chrome_BITS_*\*.crx3

    chrome.exe writes to:

    C:\Users\username\AppData\Local\Google\Chrome\User Data\Webstore Downloads\*.crx

    C:\Users\username\AppData\Local\Temp\scoped_dir*\*.crx

    C:\Users\username\AppData\Local\Temp\scoped_dir*\CRX_INSTALL\assets\EXTENSION_NAME\*

    C:\Users\username\AppData\Local\Google\Chrome\User Data\Default\Extensions\EXTENSION_NAME\*



>> Registry Access:

    
    During installation, chrome.exe accesses:

    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\*\.crx\*



>> Image Loaded by chrome.exe:

    
    Not useful for detection, but includes:

    C:\Program Files\Google\Chrome\Application\*\chrome_elf.dll

    C:\Windows\System32\BitsProxy.dll



>> CLI Installation (if occurred):

    
    Look for command lines with chrome.exe containing .crx or .crx3:

    Example: chrome.exe --enable-extensions --install-extension="*.crx"



>> Note:

    
    Each folder in C:\Users\username\AppData\Local\Google\Chrome\User Data\Default\Extensions\ represents a Chrome extension.



>> VENDOR SPECIFIC:



  • >> DEFENDER
  • >> CROWDSTRIKE
  • >> CHECKPOINT
  • >> PALO ALTO