chrome.exe
- File Path:
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
- Description: Google Chrome
Screenshot
Hashes
Type | Hash |
---|---|
MD5 | 184AC5D5E7A81024DD8B3A961ED70735 |
SHA1 | C571FC25BE6876C37C47C0F90BB8D1550F3A843F |
SHA256 | 7CF0BB881E8EE0B4ED43D73B4ECA634F9C1B14D2DE4DE916177BB4ED2939F16E |
SHA384 | 2F64B9479612AA8D85BD602E3E529708AC88C6DD50C26E16F2C5472581F59E4DCA037E41830AB6B1F7692F4F75E4F2B8 |
SHA512 | 43C42D00CD5CA5B0D7612C17C4FF112290B46583EB456EFC98A2B27DF8CC1B4146686F7D1C5081E5AFD8B0280F8B5E2531C4E20B9C19CEFAE591FCE0FAE285DB |
SSDEEP | 24576:RmduWOgCPLdX/JmrLAWZ71C6/63V1b2vxB7CT2fg10oi:RmEWO/PLTuLrZpCnF1Kv/WTC |
Runtime Data
Child Processes:
chrome.exe chrome.exe chrome.exe chrome.exe chrome.exe chrome.exe chrome.exe chrome.exe chrome.exe
Signature
- Status: Signature verified.
- Serial:
0C15BE4A15BB0903C901B1D6C265302F
- Thumbprint:
CB7E84887F3C6015FE7EDFB4F8F36DF7DC10590E
- Issuer: CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
- Subject: CN=Google LLC, O=Google LLC, L=Mountain View, S=ca, C=US
File Metadata
- Original Filename: chrome.exe
- Product Name: Google Chrome
- Company Name: Google LLC
- File Version: 84.0.4147.125
- Product Version: 84.0.4147.125
- Language: English (United States)
- Legal Copyright: Copyright 2020 Google LLC. All rights reserved.
Possible Misuse
The following table contains possible examples of chrome.exe
being misused. While chrome.exe
is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
Source | Source File | Example | License |
---|---|---|---|
sigma | proxy_apt40.yml | c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36' |
DRL 1.0 |
sigma | proxy_ua_apt.yml | - 'Mozilla/5.0 (Windows NT 6.1; WOW64) Chrome/28.0.1500.95 Safari/537.36' # Hidden Cobra malware |
DRL 1.0 |
sigma | proxy_ua_apt.yml | - 'Mozilla/5.0 Chrome/72.0.3626.109 Safari/537.36' # SideWalk malware used by Sparkling Goblin |
DRL 1.0 |
sigma | proxy_ua_frameworks.yml | - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/4.0.221.6 Safari/525.13' |
DRL 1.0 |
sigma | proxy_ua_malware.yml | - 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Chrome /53.0' # DargonOK |
DRL 1.0 |
sigma | web_exchange_exploitation_hafnium.yml | - 'Mozilla/5.0+(X11;+Linux+x86_64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/51.0.2704.103+Safari/537.36' |
DRL 1.0 |
sigma | win_suspicious_outbound_kerberos_connection.yml | - '\chrome.exe' |
DRL 1.0 |
sigma | win_user_driver_loaded.yml | - '\Google\Chrome\Application\chrome.exe' |
DRL 1.0 |
sigma | win_alert_lsass_access.yml | - Google Chrome GoogleUpdate.exe |
DRL 1.0 |
sigma | dns_query_win_susp_ipify.yml | - \chrome.exe |
DRL 1.0 |
sigma | file_event_win_mal_vhd_download.yml | - chrome.exe |
DRL 1.0 |
sigma | net_connection_win_suspicious_outbound_kerberos_connection.yml | - '\chrome.exe' |
DRL 1.0 |
sigma | net_connection_win_susp_rdp.yml | - '\chrome.exe' |
DRL 1.0 |
sigma | pipe_created_susp_cobaltstrike_pipe_patterns.yml | - Chrome instances using the exactly same name pipe named mojo.something |
DRL 1.0 |
sigma | posh_ps_access_to_browser_login_data.yml | - '\Google\Chrome\User Data\Default\Login Data' |
DRL 1.0 |
sigma | posh_ps_access_to_browser_login_data.yml | - '\Google\Chrome\User Data\Default\Login Data For Account' |
DRL 1.0 |
sigma | posh_ps_access_to_chrome_login_data.yml | title: Accessing Encrypted Credentials from Google Chrome Login Database |
DRL 1.0 |
sigma | posh_ps_access_to_chrome_login_data.yml | - '\Google\Chrome\User Data\Default\Login Data' |
DRL 1.0 |
sigma | posh_ps_access_to_chrome_login_data.yml | - '\Google\Chrome\User Data\Default\Login Data For Account' |
DRL 1.0 |
sigma | proc_creation_win_headless_browser_file_download.yml | - '\chrome.exe' |
DRL 1.0 |
sigma | proc_creation_win_plugx_susp_exe_locations.yml | Image\|contains: '\Google\Chrome\application\' |
DRL 1.0 |
sigma | proc_creation_win_susp_powershell_parent_process.yml | - '\chrome.exe' |
DRL 1.0 |
sigma | registry_event_chrome_extension.yml | title: Running Chrome VPN Extensions via the Registry 2 VPN Extension |
DRL 1.0 |
sigma | registry_event_chrome_extension.yml | description: Running Chrome VPN Extensions via the Registry install 2 vpn extension |
DRL 1.0 |
sigma | registry_event_chrome_extension.yml | - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md#atomic-test-1---running-chrome-vpn-extensions-via-the-registry-2-vpn-extension |
DRL 1.0 |
sigma | registry_event_chrome_extension.yml | TargetObject\|contains: 'Software\Wow6432Node\Google\Chrome\Extensions' |
DRL 1.0 |
sigma | registry_event_chrome_extension.yml | - klnkiajpmpkkkgpgbogmcgfjhdoljacg # Free VPN for Chrome |
DRL 1.0 |
sigma | registry_event_dns_over_https_enabled.yml | TargetObject\|endswith: '\SOFTWARE\Google\Chrome\DnsOverHttpsMode' |
DRL 1.0 |
sigma | registry_event_runonce_persistence.yml | Details\|startswith: '"C:\Program Files\Google\Chrome\Application\' |
DRL 1.0 |
sigma | sysmon_process_hollowing.yml | - '\chrome.exe' |
DRL 1.0 |
malware-ioc | badiis.yar | $p4 = "X-Chrome-Variations" |
© ESET 2014-2018 |
malware-ioc | misp-badiis.json | "value": "COM_InterProt, X-Chrome-Variations", |
© ESET 2014-2018 |
malware-ioc | misp-badiis.json | "value": "Sense-Pwd, X-Chrome-Variations", |
© ESET 2014-2018 |
malware-ioc | misp-badiis.json | "value": "X-Password, X-Chrome-Variations", |
© ESET 2014-2018 |
malware-ioc | misp-badiis.json | "value": "XXXYYY-Ref, X-Chrome-Variations", |
© ESET 2014-2018 |
malware-ioc | badiis | * COM_InterProt, X-Chrome-Variations``{:.highlight .language-cmhg} |
© ESET 2014-2018 |
malware-ioc | badiis | * Sense-Pwd, X-Chrome-Variations``{:.highlight .language-cmhg} |
© ESET 2014-2018 |
malware-ioc | badiis | * X-Password, X-Chrome-Variations``{:.highlight .language-cmhg} |
© ESET 2014-2018 |
malware-ioc | badiis | * XXXYYY-Ref, X-Chrome-Variations``{:.highlight .language-cmhg} |
© ESET 2014-2018 |
malware-ioc | misp-machete-event.json | "value": "Chrome.exe", |
© ESET 2014-2018 |
malware-ioc | misp-machete-event.json | "value": "chrome.sfx.exe", |
© ESET 2014-2018 |
malware-ioc | machete | === Chrome.exe |
© ESET 2014-2018 |
malware-ioc | machete | \| 03929A5530639C1D9DBD395A298C59FD7EFF1DEC\|chrome.sfx.exe |
© ESET 2014-2018 |
malware-ioc | machete | \| 0AC64E08E63601AD9D6A4EF019E5B374784AF80A\|chrome.sfx.exe |
© ESET 2014-2018 |
malware-ioc | machete | \| 161629F63422AB34108854662313F87A278DD7F5\|chrome.sfx.exe |
© ESET 2014-2018 |
malware-ioc | machete | \| 67ECBC1E9A66719C599E6DDED33A85F70DACA13E\|chrome.sfx.exe |
© ESET 2014-2018 |
malware-ioc | mispadu | === Google Chrome extension |
© ESET 2014-2018 |
malware-ioc | mispadu | \| 8B950BF660AA7B5FB619E1F6E665D348BF56C86A \| Google Chrome credential stealer \| Win32/PSWTool.ChromePass.A |
© ESET 2014-2018 |
malware-ioc | 2020_Q2 | === Chrome addons |
© ESET 2014-2018 |
malware-ioc | stantinko.yar | $x1 = "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.71 Safari/537.36" fullword ascii |
© ESET 2014-2018 |
malware-ioc | misp-turla-crutch-event.json | "value": "%PROGRAMFILES%\\(x86)\\Google\\Chrome\\Application\\dwmapi.dll", |
© ESET 2014-2018 |
malware-ioc | turla | * ++C:\Program Files (x86)\Google\Chrome\Application\dwmapi.dll++``{:.highlight .language-cmhg} |
© ESET 2014-2018 |
atomic-red-team | index.md | - Atomic Test #1: Run Chrome-password Collector [windows] | MIT License. © 2018 Red Canary |
atomic-red-team | index.md | - Atomic Test #4: Simulating access to Chrome Login Data [windows] | MIT License. © 2018 Red Canary |
atomic-red-team | index.md | - Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos] | MIT License. © 2018 Red Canary |
atomic-red-team | index.md | - Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos] | MIT License. © 2018 Red Canary |
atomic-red-team | index.md | - Atomic Test #1: Running Chrome VPN Extensions via the Registry 2 vpn extension [windows] | MIT License. © 2018 Red Canary |
atomic-red-team | index.md | - Atomic Test #3: List Google Chrome Bookmark JSON Files on macOS [macos] | MIT License. © 2018 Red Canary |
atomic-red-team | index.md | - Atomic Test #4: List Google Chrome / Opera Bookmarks on Windows with powershell [windows] | MIT License. © 2018 Red Canary |
atomic-red-team | index.md | - Atomic Test #5: List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt [windows] | MIT License. © 2018 Red Canary |
atomic-red-team | index.md | - Atomic Test #7: Headless Chrome code execution via VBA [windows] | MIT License. © 2018 Red Canary |
atomic-red-team | linux-index.md | - Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos] | MIT License. © 2018 Red Canary |
atomic-red-team | linux-index.md | - Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos] | MIT License. © 2018 Red Canary |
atomic-red-team | macos-index.md | - Atomic Test #3: List Google Chrome Bookmark JSON Files on macOS [macos] | MIT License. © 2018 Red Canary |
atomic-red-team | macos-index.md | - Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos] | MIT License. © 2018 Red Canary |
atomic-red-team | macos-index.md | - Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos] | MIT License. © 2018 Red Canary |
atomic-red-team | windows-index.md | - Atomic Test #1: Run Chrome-password Collector [windows] | MIT License. © 2018 Red Canary |
atomic-red-team | windows-index.md | - Atomic Test #4: Simulating access to Chrome Login Data [windows] | MIT License. © 2018 Red Canary |
atomic-red-team | windows-index.md | - Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos] | MIT License. © 2018 Red Canary |
atomic-red-team | windows-index.md | - Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos] | MIT License. © 2018 Red Canary |
atomic-red-team | windows-index.md | - Atomic Test #1: Running Chrome VPN Extensions via the Registry 2 vpn extension [windows] | MIT License. © 2018 Red Canary |
atomic-red-team | windows-index.md | - Atomic Test #4: List Google Chrome / Opera Bookmarks on Windows with powershell [windows] | MIT License. © 2018 Red Canary |
atomic-red-team | windows-index.md | - Atomic Test #5: List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt [windows] | MIT License. © 2018 Red Canary |
atomic-red-team | windows-index.md | - Atomic Test #7: Headless Chrome code execution via VBA [windows] | MIT License. © 2018 Red Canary |
atomic-red-team | T1133.md | - Atomic Test #1 - Running Chrome VPN Extensions via the Registry 2 vpn extension | MIT License. © 2018 Red Canary |
atomic-red-team | T1133.md | ## Atomic Test #1 - Running Chrome VPN Extensions via the Registry 2 vpn extension | MIT License. © 2018 Red Canary |
atomic-red-team | T1133.md | Running Chrome VPN Extensions via the Registry install 2 vpn extension, please see “T1133\src\list of vpn extension.txt” to view complete list | MIT License. © 2018 Red Canary |
atomic-red-team | T1133.md | | chrome_url | chrome installer download URL | Url | https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BFD62DDBC-14C6-20BD-706F-C7744738E422%7D%26lang%3Den%26browser%3D3%26usagestats%3D0%26appname%3DGoogle%2520Chrome%26needsadmin%3Dprefers%26ap%3Dx64-stable-statsdef_1%26installdataindex%3Dempty/chrome/install/ChromeStandaloneSetup64.exe| | MIT License. © 2018 Red Canary |
atomic-red-team | T1133.md | | extension_id | chrome extension id | String | “fcfhplploccackoneaefokcmbjfbkenj”, “fdcgdnkidjaadafnichfpabhfomcebme”| | MIT License. © 2018 Red Canary |
atomic-red-team | T1133.md | New-Item -Path HKLM:\Software\Wow6432Node\Google\Chrome\Extensions$extension -Force | MIT License. © 2018 Red Canary |
atomic-red-team | T1133.md | New-ItemProperty -Path “HKLM:\Software\Wow6432Node\Google\Chrome\Extensions$extension” -Name “update_url” -Value “https://clients2.google.com/service/update2/crx” -PropertyType “String” -Force} | MIT License. © 2018 Red Canary |
atomic-red-team | T1133.md | Start chrome | MIT License. © 2018 Red Canary |
atomic-red-team | T1133.md | Stop-Process -Name “chrome” | MIT License. © 2018 Red Canary |
atomic-red-team | T1133.md | Remove-Item -Path “HKLM:\Software\Wow6432Node\Google\Chrome\Extensions$extension” -ErrorAction Ignore} | MIT License. © 2018 Red Canary |
atomic-red-team | T1133.md | ##### Description: Chrome must be installed | MIT License. © 2018 Red Canary |
atomic-red-team | T1133.md | if ((Test-Path “C:\Program Files\Google\Chrome\Application\chrome.exe”) -Or (Test-Path “C:\Program Files (x86)\Google\Chrome\Application\chrome.exe”)) {exit 0} else {exit 1} | MIT License. © 2018 Red Canary |
atomic-red-team | T1176.md | <blockquote>Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser’s app store and generally have access and permissions to everything that the browser can access.(Citation: Wikipedia Browser Extension)(Citation: Chrome Extensions Definition) | MIT License. © 2018 Red Canary |
atomic-red-team | T1176.md | Malicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering, or by an adversary that has already compromised a system. Security can be limited on browser app stores so it may not be difficult for malicious extensions to defeat automated scanners.(Citation: Malicious Chrome Extension Numbers) Depending on the browser, adversaries may also manipulate an extension’s update url to install updates from an adversary controlled server or manipulate the mobile configuration file to silently install additional extensions. | MIT License. © 2018 Red Canary |
atomic-red-team | T1176.md | Previous to macOS 11, adversaries could silently install browser extensions via the command line using the profiles tool to install malicious .mobileconfig files. In macOS 11+, the use of the profiles tool can no longer install configuration profiles, however .mobileconfig files can be planted and installed with user interaction.(Citation: xorrior chrome extensions macOS) |
MIT License. © 2018 Red Canary |
atomic-red-team | T1176.md | Once the extension is installed, it can browse to websites in the background,(Citation: Chrome Extension Crypto Miner)(Citation: ICEBRG Chrome Extensions) steal all information that a user enters into a browser (including credentials)(Citation: Banker Google Chrome Extension Steals Creds)(Citation: Catch All Chrome Extension) and be used as an installer for a RAT for persistence. | MIT License. © 2018 Red Canary |
atomic-red-team | T1176.md | There have also been instances of botnets using a persistent backdoor through malicious Chrome extensions.(Citation: Stantinko Botnet) There have also been similar examples of extensions being used for command & control.(Citation: Chrome Extension C2 Malware)</blockquote> | MIT License. © 2018 Red Canary |
atomic-red-team | T1176.md | - Atomic Test #1 - Chrome (Developer Mode) | MIT License. © 2018 Red Canary |
atomic-red-team | T1176.md | - Atomic Test #2 - Chrome (Chrome Web Store) | MIT License. © 2018 Red Canary |
atomic-red-team | T1176.md | ## Atomic Test #1 - Chrome (Developer Mode) | MIT License. © 2018 Red Canary |
atomic-red-team | T1176.md | Turn on Chrome developer mode and Load Extension found in the src directory | MIT License. © 2018 Red Canary |
atomic-red-team | T1176.md | 1. Navigate to chrome://extensions and | MIT License. © 2018 Red Canary |
atomic-red-team | T1176.md | ## Atomic Test #2 - Chrome (Chrome Web Store) | MIT License. © 2018 Red Canary |
atomic-red-team | T1176.md | Install the “Minimum Viable Malicious Extension” Chrome extension | MIT License. © 2018 Red Canary |
atomic-red-team | T1176.md | 1. Navigate to https://chrome.google.com/webstore/detail/minimum-viable-malicious/odlpfdolehmhciiebahbpnaopneicend | MIT License. © 2018 Red Canary |
atomic-red-team | T1176.md | in Chrome | MIT License. © 2018 Red Canary |
atomic-red-team | T1176.md | 2. Click ‘Add to Chrome’ | MIT License. © 2018 Red Canary |
atomic-red-team | T1204.002.md | - Atomic Test #7 - Headless Chrome code execution via VBA | MIT License. © 2018 Red Canary |
atomic-red-team | T1204.002.md | ## Atomic Test #7 - Headless Chrome code execution via VBA | MIT License. © 2018 Red Canary |
atomic-red-team | T1204.002.md | This module uses Google Chrome combined with ScriptControl to achieve code execution. It spawns a local | MIT License. © 2018 Red Canary |
atomic-red-team | T1204.002.md | webserver hosting our malicious payload. Headless Google Chrome will then reach out to this webserver | MIT License. © 2018 Red Canary |
atomic-red-team | T1204.002.md | ##### Description: Google Chrome must be installed | MIT License. © 2018 Red Canary |
atomic-red-team | T1204.002.md | $chromeInstalled = (Get-Item (Get-ItemProperty ‘HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe’).’(Default)’).VersionInfo.FileName | MIT License. © 2018 Red Canary |
atomic-red-team | T1204.002.md | Write-Host “You will need to install Google Chrome manually to meet this requirement” | MIT License. © 2018 Red Canary |
atomic-red-team | T1217.md | - Atomic Test #3 - List Google Chrome Bookmark JSON Files on macOS | MIT License. © 2018 Red Canary |
atomic-red-team | T1217.md | - Atomic Test #4 - List Google Chrome / Opera Bookmarks on Windows with powershell | MIT License. © 2018 Red Canary |
atomic-red-team | T1217.md | - Atomic Test #5 - List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt | MIT License. © 2018 Red Canary |
atomic-red-team | T1217.md | ## Atomic Test #3 - List Google Chrome Bookmark JSON Files on macOS | MIT License. © 2018 Red Canary |
atomic-red-team | T1217.md | Searches for Google Chrome’s Bookmark file (on macOS) that contains bookmarks in JSON format and lists any found instances to a text file. | MIT License. © 2018 Red Canary |
atomic-red-team | T1217.md | | output_file | Path where captured results will be placed. | Path | /tmp/T1217-Chrome.txt| | MIT License. © 2018 Red Canary |
atomic-red-team | T1217.md | find / -path “/Google/Chrome//Bookmarks” -exec echo {} » #{output_file} \; | MIT License. © 2018 Red Canary |
atomic-red-team | T1217.md | ## Atomic Test #4 - List Google Chrome / Opera Bookmarks on Windows with powershell | MIT License. © 2018 Red Canary |
atomic-red-team | T1217.md | Searches for Google Chrome’s and Opera’s Bookmarks file (on Windows distributions) that contains bookmarks. | MIT License. © 2018 Red Canary |
atomic-red-team | T1217.md | ## Atomic Test #5 - List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt | MIT License. © 2018 Red Canary |
atomic-red-team | T1555.003.md | For example, on Windows systems, encrypted credentials may be obtained from Google Chrome by reading a database file, AppData\Local\Google\Chrome\User Data\Default\Login Data and executing a SQL query: SELECT action_url, username_value, password_value FROM logins; . The plaintext password can then be obtained by passing the encrypted credentials to the Windows API function CryptUnprotectData , which uses the victim’s cached logon credentials as the decryption key. (Citation: Microsoft CryptUnprotectData April 2018) |
MIT License. © 2018 Red Canary |
atomic-red-team | T1555.003.md | - Atomic Test #1 - Run Chrome-password Collector | MIT License. © 2018 Red Canary |
atomic-red-team | T1555.003.md | - Atomic Test #4 - Simulating access to Chrome Login Data | MIT License. © 2018 Red Canary |
atomic-red-team | T1555.003.md | ## Atomic Test #1 - Run Chrome-password Collector | MIT License. © 2018 Red Canary |
atomic-red-team | T1555.003.md | A modified sysinternals suite will be downloaded and staged. The Chrome-password collector, renamed accesschk.exe, will then be executed from #{file_path}. | MIT License. © 2018 Red Canary |
atomic-red-team | T1555.003.md | ## Atomic Test #4 - Simulating access to Chrome Login Data | MIT License. © 2018 Red Canary |
atomic-red-team | T1555.003.md | Simulates an adversary accessing encrypted credentials from Google Chrome Login database. | MIT License. © 2018 Red Canary |
atomic-red-team | T1555.003.md | Copy-Item “$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Login Data” -Destination $env:temp | MIT License. © 2018 Red Canary |
atomic-red-team | T1555.003.md | Copy-Item “$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Login Data For Account” -Destination $env:temp | MIT License. © 2018 Red Canary |
atomic-red-team | T1555.003.md | ##### Description: Chrome must be installed | MIT License. © 2018 Red Canary |
atomic-red-team | T1555.003.md | if ((Test-Path “C:\Program Files\Google\Chrome\Application\chrome.exe”) -Or (Test-Path “C:\Program Files (x86)\Google\Chrome\Application\chrome.exe”)) {exit 0} else {exit 1} | MIT License. © 2018 Red Canary |
atomic-red-team | T1555.003.md | Invoke-WebRequest -OutFile $env:temp\ChromeStandaloneSetup64.msi https://dl.google.com/chrome/install/googlechromestandaloneenterprise64.msi | MIT License. © 2018 Red Canary |
atomic-red-team | T1555.003.md | Start-Process -FilePath “chrome.exe” | MIT License. © 2018 Red Canary |
atomic-red-team | T1555.003.md | Stop-Process -Name “chrome” | MIT License. © 2018 Red Canary |
signature-base | airbnb_binaryalert.yar | description = “Decrypt Google Chrome / Chromium passwords and credit cards on macOS / OS X.” | CC BY-NC 4.0 |
signature-base | airbnb_binaryalert.yar | $a1 = “Credit Cards for Chrome Profile” wide ascii | CC BY-NC 4.0 |
signature-base | airbnb_binaryalert.yar | $a2 = “Passwords for Chrome Profile” wide ascii | CC BY-NC 4.0 |
signature-base | airbnb_binaryalert.yar | $a4 = “ERROR getting Chrome Safe Storage Key” wide ascii | CC BY-NC 4.0 |
signature-base | apt_apt27_hyperbro.yar | $s2 = “Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.116 Safari/537.36” ascii wide nocase | CC BY-NC 4.0 |
signature-base | apt_apt37_bluelight.yar | $chrome1 = “Failed to get chrome cookie” | CC BY-NC 4.0 |
signature-base | apt_apt37_bluelight.yar | 24 of ($chrome*) or | CC BY-NC 4.0 |
signature-base | apt_apt41.yar | $s3 = “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36” fullword ascii | CC BY-NC 4.0 |
signature-base | apt_buckeye.yar | $x3 = “Chrome User Data folder where the password file is stored” wide | CC BY-NC 4.0 |
signature-base | apt_buckeye.yar | $s4 = “Chrome Passwords List!Select the windows profile folder” fullword wide | CC BY-NC 4.0 |
signature-base | apt_buckeye.yar | $s8 = “Chrome Password Recovery” fullword wide | CC BY-NC 4.0 |
signature-base | apt_dragonfly.yar | $s7 = “\Appdata\Local\Google\Chrome\User Data\Default\” fullword wide | CC BY-NC 4.0 |
signature-base | apt_duqu2.yar | $x2 = “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7xs5D9rRDFpg2g” fullword wide | CC BY-NC 4.0 |
signature-base | apt_freemilk.yar | $s3 = “\Google\Chrome\User Data\Default\Login Data” fullword ascii | CC BY-NC 4.0 |
signature-base | apt_hafnium_log_sigs.yar | $xr3 = /POST \/owa\/auth\/Current\/[^\n]{100,600} (DuckDuckBot\/1.0;+(+http:\/\/duckduckgo.com\/duckduckbot.html)|facebookexternalhit\/1.1+(+http:\/\/www.facebook.com\/externalhit_uatext.php)|Mozilla\/5.0+(compatible;+Baiduspider\/2.0;++http:\/\/www.baidu.com\/search\/spider.html)|Mozilla\/5.0+(compatible;+Bingbot\/2.0;++http:\/\/www.bing.com\/bingbot.htm)|Mozilla\/5.0+(compatible;+Googlebot\/2.1;++http:\/\/www.google.com\/bot.html|Mozilla\/5.0+(compatible;+Konqueror\/3.5;+Linux)+KHTML\/3.5.5+(like+Gecko)+(Exabot-Thumbnails)|Mozilla\/5.0+(compatible;+Yahoo!+Slurp;+http:\/\/help.yahoo.com\/help\/us\/ysearch\/slurp)|Mozilla\/5.0+(compatible;+YandexBot\/3.0;++http:\/\/yandex.com\/bots)|Mozilla\/5.0+(X11;+Linux+x86_64)+AppleWebKit\/537.36+(KHTML,+like+Gecko)+Chrome\/51.0.2704.103+Safari\/537.3)/ | CC BY-NC 4.0 |
signature-base | apt_iamtheking.yar | $s3 = “Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.75” ascii fullword | CC BY-NC 4.0 |
signature-base | apt_rokrat.yar | $a1 = “\Google\Chrome\User Data\Default\Login Data” fullword ascii | CC BY-NC 4.0 |
signature-base | apt_shellcrew_streamex.yar | $d = “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36” wide | CC BY-NC 4.0 |
signature-base | apt_stonedrill.yar | $s1 = “WshShell.CopyFile "%COMMON_APPDATA%\Chrome\” ascii | CC BY-NC 4.0 |
signature-base | apt_stonedrill.yar | $s5 = “ , "%COMMON_APPDATA%\Chrome\” ascii | CC BY-NC 4.0 |
signature-base | apt_telebots.yar | $s5 = “\Local\Google\Chrome\User Data\Default\Login Data” fullword ascii | CC BY-NC 4.0 |
signature-base | apt_turla_mosquito.yar | $s1 = “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36” fullword wide | CC BY-NC 4.0 |
signature-base | apt_turla_mosquito.yar | $a2 = “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36” fullword wide | CC BY-NC 4.0 |
signature-base | apt_wilted_tulip.yar | description = “Detects Chrome password dumper used in Operation Wilted Tulip” | CC BY-NC 4.0 |
signature-base | apt_wilted_tulip.yar | $x1 = “%s.exe -f "C:\Users\Admin\Google\Chrome\TestProfile" -o "c:\passlist.txt"” fullword ascii | CC BY-NC 4.0 |
signature-base | apt_wilted_tulip.yar | $x3 = “//Dump Chrome Passwords to a Output file "c:\passlist.txt"” fullword ascii | CC BY-NC 4.0 |
signature-base | apt_xrat.yar | $s3 = “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36” fullword wide | CC BY-NC 4.0 |
signature-base | crime_bad_patch.yar | $s2 = “\Appdata\Local\Google\Chrome\User Data\Default\Login Data.*” fullword wide | CC BY-NC 4.0 |
signature-base | crime_bad_patch.yar | $s4 = “\Appdata\Local\Google\Chrome\User Data\Default\Cookies.*” fullword wide | CC BY-NC 4.0 |
signature-base | crime_credstealer_generic.yar | $s5 = “%s\Google\Chrome\User Data\Default\Login Data” fullword ascii | CC BY-NC 4.0 |
signature-base | crime_envrial.yar | $a3 = “\Google\Chrome\User Data\Default\Login Data” fullword wide | CC BY-NC 4.0 |
signature-base | crime_mirai.yar | $s1 = “User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.101 Safari/537.36” fullword ascii | CC BY-NC 4.0 |
signature-base | crime_rombertik_carbongrabber.yar | $s4 = “chrome.exe” fullword ascii | CC BY-NC 4.0 |
signature-base | crime_rombertik_carbongrabber.yar | $s6 = “chrome.dll” fullword ascii | CC BY-NC 4.0 |
signature-base | crime_rombertik_carbongrabber.yar | $s8 = “Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome” ascii | CC BY-NC 4.0 |
signature-base | crime_socgholish.yar | $a2 = “Chrome” ascii | CC BY-NC 4.0 |
signature-base | exploit_cve_2015_2426.yar | $s3 = “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36” fullword ascii /* PEStudio Blacklist: strings */ | CC BY-NC 4.0 |
signature-base | general_cloaking.yar | and not filepath contains “Chrome” | CC BY-NC 4.0 |
signature-base | generic_anomalies.yar | description = “Detects uncommon file size of chrome.exe” | CC BY-NC 4.0 |
signature-base | generic_anomalies.yar | and filename == “chrome.exe” | CC BY-NC 4.0 |
signature-base | mal_passwordstate_backdoor.yar | $s3 = “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.128 Safari” wide fullword | CC BY-NC 4.0 |
signature-base | spy_equation_fiveeyes.yar | $s5 = “Chrome” fullword wide | CC BY-NC 4.0 |
signature-base | thor-hacktools.yar | $s4 = “softwares.chrome(“ fullword ascii | CC BY-NC 4.0 |
stockpile | 830bb6ed-9594-4817-b1a1-c298c0f9f425.yml | name: Check Chrome |
Apache-2.0 |
stockpile | 830bb6ed-9594-4817-b1a1-c298c0f9f425.yml | description: Check to see if Gooogle Chrome browser is installed |
Apache-2.0 |
stockpile | 830bb6ed-9594-4817-b1a1-c298c0f9f425.yml | which google-chrome |
Apache-2.0 |
stockpile | b007fc38-9eb7-4320-92b3-9a3ad3e6ec25.yml | name: Get Chrome Bookmarks |
Apache-2.0 |
stockpile | b007fc38-9eb7-4320-92b3-9a3ad3e6ec25.yml | description: Get Chrome Bookmarks |
Apache-2.0 |
stockpile | b007fc38-9eb7-4320-92b3-9a3ad3e6ec25.yml | cat ~/Library/Application\ Support/Google/Chrome/Default/Bookmarks |
Apache-2.0 |
stockpile | b007fc38-9eb7-4320-92b3-9a3ad3e6ec25.yml | - source: host.chrome.bookmark_title |
Apache-2.0 |
stockpile | b007fc38-9eb7-4320-92b3-9a3ad3e6ec25.yml | target: host.chrome.bookmark_url |
Apache-2.0 |
stockpile | de52784d-4de6-4d4e-b79e-e7b68fe037fb.yml | osascript bookmark.scpt #{host.chrome.bookmark_title[filters(max=1)]} #{server.malicious.url[filters(max=1)]} |
Apache-2.0 |
stockpile | 110cea7a-5b03-4443-92ee-7ccefaead451.yml | $userAgentField = \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36\"; |
Apache-2.0 |
stockpile | ea713bc4-63f0-491c-9a6f-0b01d560b87e.yml | $client.DefaultRequestHeaders.Add("User-Agent","Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36"); |
Apache-2.0 |
MIT License. Copyright (c) 2020-2021 Strontic.