chrome.exe

  • File Path: C:\Program Files\Google\Chrome\Application\chrome.exe
  • Description: Google Chrome

Screenshot

chrome.exe

Hashes

Type Hash
MD5 DD65B7854FB27E26AFD9F1315EEE2265
SHA1 8F66E220CBAC8565F32700397B08A7ABF777CC2E
SHA256 768B39D67FE884B1B216803B76F5AFCEFADB860544FD0E52C3F286670A740DBB
SHA384 E577241E85F2EBB3875E2F0F728C3825E148D4032C3835EAC8BF57C0F149A506D54C8A180A2F6733AED3F3C1F1B2935D
SHA512 E5D3277410F7A8BB10EE0E7556E0EFF84870CD82B53F16595DD4AAAFD3F5514952981E77AA41BBDD8C93321AB57E9E94C8E1652188D1F4F91AAFA1E53E0EBF6A
SSDEEP 49152:ow0gosk0A21nX0AvsYVp2GSbKin8wRuTrhXq:owqske0Aej
IMP 891D2BAFA4260189E94CAC8FB19F369A
PESHA1 E0E791EEE14FE02F69314F00A7423447FCC2B865
PE256 E315BDC7284342C67E4DE8CD3D81461F9FE2AD69995E2E3C3491FBD04A41BBEE

Runtime Data

Usage (stderr):

[1106/200238.889:ERROR:registration_protocol_win.cc(130)] TransactNamedPipe: The pipe has been ended. (0x6D)
[1106/200238.890:ERROR:crash_report_database_win.cc(605)] CreateDirectory C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad: The system cannot find the path specified. (0x3)

Child Processes:

chrome.exe chrome.exe chrome.exe chrome.exe chrome.exe chrome.exe chrome.exe chrome.exe chrome.exe chrome.exe

Window Title:

New Tab - Google Chrome

Open Handles:

Path Type
(R–) C:\Users\user\AppData\Local\Google\Chrome\User Data\lockfile File
(R-D) C:\Program Files\Google\Chrome\Application\95.0.4638.69\chrome_100_percent.pak File
(R-D) C:\Program Files\Google\Chrome\Application\95.0.4638.69\chrome_200_percent.pak File
(R-D) C:\Program Files\Google\Chrome\Application\95.0.4638.69\Locales\en-US.pak File
(R-D) C:\Program Files\Google\Chrome\Application\95.0.4638.69\resources.pak File
(R-D) C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-618717AA-624.pma File
(R-D) C:\Windows\System32\en-US\crypt32.dll.mui File
(R-D) C:\Windows\System32\en-US\KernelBase.dll.mui File
(R-D) C:\Windows\System32\en-US\propsys.dll.mui File
(R-D) C:\Windows\System32\en-US\user32.dll.mui File
(RW-) C:\Program Files\Google\Chrome\Application\95.0.4638.69 File
(RW-) C:\Program Files\Google\Chrome\Application\95.0.4638.69\icudtl.dat File
(RW-) C:\Program Files\Google\Chrome\Application\95.0.4638.69\v8_context_snapshot.bin File
(RW-) C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Affiliation Database File
(RW-) C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\000003.log File
(RW-) C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOCK File
(RW-) C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG File
(RW-) C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\MANIFEST-000001 File
(RW-) C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Favicons File
(RW-) C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History File
(RW-) C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOCK File
(RW-) C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data File
(RW-) C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account File
(RW-) C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000003.log File
(RW-) C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOCK File
(RW-) C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG File
(RW-) C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\MANIFEST-000001 File
(RW-) C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000003.log File
(RW-) C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOCK File
(RW-) C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG File
(RW-) C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\MANIFEST-000001 File
(RW-) C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites File
(RW-) C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Visited Links File
(RW-) C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data File
(RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e File
(RWD) C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_0 File
(RWD) C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1 File
(RWD) C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_2 File
(RWD) C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_3 File
(RWD) C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache\index File
(RWD) C:\Users\user\AppData\Local\Google\Chrome\User Data\GrShaderCache\GPUCache\data_0 File
(RWD) C:\Users\user\AppData\Local\Google\Chrome\User Data\GrShaderCache\GPUCache\data_1 File
(RWD) C:\Users\user\AppData\Local\Google\Chrome\User Data\GrShaderCache\GPUCache\data_2 File
(RWD) C:\Users\user\AppData\Local\Google\Chrome\User Data\GrShaderCache\GPUCache\data_3 File
(RWD) C:\Users\user\AppData\Local\Google\Chrome\User Data\GrShaderCache\GPUCache\index File
(RWD) C:\Users\user\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_0 File
(RWD) C:\Users\user\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1 File
(RWD) C:\Users\user\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_2 File
(RWD) C:\Users\user\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_3 File
(RWD) C:\Users\user\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\index File
(RWD) C:\Users\user\AppData\Roaming\Microsoft\Spelling File
(RWD) C:\Windows\Fonts\segoeui.ttf File
(RWD) C:\Windows\Fonts\seguisb.ttf File
(RWD) C:\Windows\System32\drivers\etc File
\BaseNamedObjects__ComCatalogCache__ Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2 Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\BaseNamedObjects\windows_shell_global_counters Section
\Sessions\1\BaseNamedObjects\1DefaultTIPSharedMemory Section
\Sessions\1\BaseNamedObjects\624HWNDInterface:2c0970 Section
\Sessions\1\BaseNamedObjects\624HWNDInterface:310972 Section
\Sessions\1\BaseNamedObjects\624HWNDInterface:32098e Section
\Sessions\1\BaseNamedObjects\624HWNDInterface:3b09a2 Section
\Sessions\1\BaseNamedObjects\windows_shell_global_counters Section
\Sessions\1\Windows\Theme449731986 Section
\Windows\Theme1396518710 Section

Loaded Modules:

Path
C:\Program Files\Google\Chrome\Application\95.0.4638.69\chrome_elf.dll
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\SYSTEM32\ntdll.dll

Signature

  • Status: Signature verified.
  • Serial: 0E4418E2DEDE36DD2974C3443AFB5CE5
  • Thumbprint: 2673EA6CC23BEFFDA49AC715B121544098A1284C
  • Issuer: CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O=”DigiCert, Inc.”, C=US
  • Subject: CN=Google LLC, O=Google LLC, L=Mountain View, S=California, C=US

File Metadata

  • Original Filename: chrome.exe
  • Product Name: Google Chrome
  • Company Name: Google LLC
  • File Version: 95.0.4638.69
  • Product Version: 95.0.4638.69
  • Language: English (United States)
  • Legal Copyright: Copyright 2021 Google LLC. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/768b39d67fe884b1b216803b76f5afcefadb860544fd0e52c3f286670a740dbb/detection

Possible Misuse

The following table contains possible examples of chrome.exe being misused. While chrome.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proxy_apt40.yml c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36' DRL 1.0
sigma proxy_ua_apt.yml - 'Mozilla/5.0 (Windows NT 6.1; WOW64) Chrome/28.0.1500.95 Safari/537.36' # Hidden Cobra malware DRL 1.0
sigma proxy_ua_apt.yml - 'Mozilla/5.0 Chrome/72.0.3626.109 Safari/537.36' # SideWalk malware used by Sparkling Goblin DRL 1.0
sigma proxy_ua_frameworks.yml - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/4.0.221.6 Safari/525.13' DRL 1.0
sigma proxy_ua_malware.yml - 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Chrome /53.0' # DargonOK DRL 1.0
sigma web_exchange_exploitation_hafnium.yml - 'Mozilla/5.0+(X11;+Linux+x86_64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/51.0.2704.103+Safari/537.36' DRL 1.0
sigma win_suspicious_outbound_kerberos_connection.yml - '\chrome.exe' DRL 1.0
sigma win_user_driver_loaded.yml - '\Google\Chrome\Application\chrome.exe' DRL 1.0
sigma win_alert_lsass_access.yml - Google Chrome GoogleUpdate.exe DRL 1.0
sigma dns_query_win_susp_ipify.yml - \chrome.exe DRL 1.0
sigma file_event_win_mal_vhd_download.yml - chrome.exe DRL 1.0
sigma net_connection_win_suspicious_outbound_kerberos_connection.yml - '\chrome.exe' DRL 1.0
sigma net_connection_win_susp_rdp.yml - '\chrome.exe' DRL 1.0
sigma pipe_created_susp_cobaltstrike_pipe_patterns.yml - Chrome instances using the exactly same name pipe named mojo.something DRL 1.0
sigma posh_ps_access_to_browser_login_data.yml - '\Google\Chrome\User Data\Default\Login Data' DRL 1.0
sigma posh_ps_access_to_browser_login_data.yml - '\Google\Chrome\User Data\Default\Login Data For Account' DRL 1.0
sigma posh_ps_access_to_chrome_login_data.yml title: Accessing Encrypted Credentials from Google Chrome Login Database DRL 1.0
sigma posh_ps_access_to_chrome_login_data.yml - '\Google\Chrome\User Data\Default\Login Data' DRL 1.0
sigma posh_ps_access_to_chrome_login_data.yml - '\Google\Chrome\User Data\Default\Login Data For Account' DRL 1.0
sigma proc_creation_win_headless_browser_file_download.yml - '\chrome.exe' DRL 1.0
sigma proc_creation_win_plugx_susp_exe_locations.yml Image\|contains: '\Google\Chrome\application\' DRL 1.0
sigma proc_creation_win_susp_powershell_parent_process.yml - '\chrome.exe' DRL 1.0
sigma registry_event_chrome_extension.yml title: Running Chrome VPN Extensions via the Registry 2 VPN Extension DRL 1.0
sigma registry_event_chrome_extension.yml description: Running Chrome VPN Extensions via the Registry install 2 vpn extension DRL 1.0
sigma registry_event_chrome_extension.yml - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md#atomic-test-1---running-chrome-vpn-extensions-via-the-registry-2-vpn-extension DRL 1.0
sigma registry_event_chrome_extension.yml TargetObject\|contains: 'Software\Wow6432Node\Google\Chrome\Extensions' DRL 1.0
sigma registry_event_chrome_extension.yml - klnkiajpmpkkkgpgbogmcgfjhdoljacg # Free VPN for Chrome DRL 1.0
sigma registry_event_dns_over_https_enabled.yml TargetObject\|endswith: '\SOFTWARE\Google\Chrome\DnsOverHttpsMode' DRL 1.0
sigma registry_event_runonce_persistence.yml Details\|startswith: '"C:\Program Files\Google\Chrome\Application\' DRL 1.0
sigma sysmon_process_hollowing.yml - '\chrome.exe' DRL 1.0
malware-ioc badiis.yar $p4 = "X-Chrome-Variations" © ESET 2014-2018
malware-ioc misp-badiis.json "value": "COM_InterProt, X-Chrome-Variations", © ESET 2014-2018
malware-ioc misp-badiis.json "value": "Sense-Pwd, X-Chrome-Variations", © ESET 2014-2018
malware-ioc misp-badiis.json "value": "X-Password, X-Chrome-Variations", © ESET 2014-2018
malware-ioc misp-badiis.json "value": "XXXYYY-Ref, X-Chrome-Variations", © ESET 2014-2018
malware-ioc badiis * COM_InterProt, X-Chrome-Variations``{:.highlight .language-cmhg} © ESET 2014-2018
malware-ioc badiis * Sense-Pwd, X-Chrome-Variations``{:.highlight .language-cmhg} © ESET 2014-2018
malware-ioc badiis * X-Password, X-Chrome-Variations``{:.highlight .language-cmhg} © ESET 2014-2018
malware-ioc badiis * XXXYYY-Ref, X-Chrome-Variations``{:.highlight .language-cmhg} © ESET 2014-2018
malware-ioc misp-machete-event.json "value": "Chrome.exe", © ESET 2014-2018
malware-ioc misp-machete-event.json "value": "chrome.sfx.exe", © ESET 2014-2018
malware-ioc machete === Chrome.exe © ESET 2014-2018
malware-ioc machete \|03929A5530639C1D9DBD395A298C59FD7EFF1DEC\|chrome.sfx.exe © ESET 2014-2018
malware-ioc machete \|0AC64E08E63601AD9D6A4EF019E5B374784AF80A\|chrome.sfx.exe © ESET 2014-2018
malware-ioc machete \|161629F63422AB34108854662313F87A278DD7F5\|chrome.sfx.exe © ESET 2014-2018
malware-ioc machete \|67ECBC1E9A66719C599E6DDED33A85F70DACA13E\|chrome.sfx.exe © ESET 2014-2018
malware-ioc mispadu === Google Chrome extension © ESET 2014-2018
malware-ioc mispadu \| 8B950BF660AA7B5FB619E1F6E665D348BF56C86A \| Google Chrome credential stealer \| Win32/PSWTool.ChromePass.A © ESET 2014-2018
malware-ioc 2020_Q2 === Chrome addons © ESET 2014-2018
malware-ioc stantinko.yar $x1 = "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.71 Safari/537.36" fullword ascii © ESET 2014-2018
malware-ioc misp-turla-crutch-event.json "value": "%PROGRAMFILES%\\(x86)\\Google\\Chrome\\Application\\dwmapi.dll", © ESET 2014-2018
malware-ioc turla * ++C:\Program Files (x86)\Google\Chrome\Application\dwmapi.dll++``{:.highlight .language-cmhg} © ESET 2014-2018
atomic-red-team index.md - Atomic Test #1: Run Chrome-password Collector [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #4: Simulating access to Chrome Login Data [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #1: Running Chrome VPN Extensions via the Registry 2 vpn extension [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #3: List Google Chrome Bookmark JSON Files on macOS [macos] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #4: List Google Chrome / Opera Bookmarks on Windows with powershell [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #5: List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #7: Headless Chrome code execution via VBA [windows] MIT License. © 2018 Red Canary
atomic-red-team linux-index.md - Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos] MIT License. © 2018 Red Canary
atomic-red-team linux-index.md - Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos] MIT License. © 2018 Red Canary
atomic-red-team macos-index.md - Atomic Test #3: List Google Chrome Bookmark JSON Files on macOS [macos] MIT License. © 2018 Red Canary
atomic-red-team macos-index.md - Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos] MIT License. © 2018 Red Canary
atomic-red-team macos-index.md - Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #1: Run Chrome-password Collector [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #4: Simulating access to Chrome Login Data [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #1: Running Chrome VPN Extensions via the Registry 2 vpn extension [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #4: List Google Chrome / Opera Bookmarks on Windows with powershell [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #5: List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #7: Headless Chrome code execution via VBA [windows] MIT License. © 2018 Red Canary
atomic-red-team T1133.md - Atomic Test #1 - Running Chrome VPN Extensions via the Registry 2 vpn extension MIT License. © 2018 Red Canary
atomic-red-team T1133.md ## Atomic Test #1 - Running Chrome VPN Extensions via the Registry 2 vpn extension MIT License. © 2018 Red Canary
atomic-red-team T1133.md Running Chrome VPN Extensions via the Registry install 2 vpn extension, please see “T1133\src\list of vpn extension.txt” to view complete list MIT License. © 2018 Red Canary
atomic-red-team T1133.md | chrome_url | chrome installer download URL | Url | https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BFD62DDBC-14C6-20BD-706F-C7744738E422%7D%26lang%3Den%26browser%3D3%26usagestats%3D0%26appname%3DGoogle%2520Chrome%26needsadmin%3Dprefers%26ap%3Dx64-stable-statsdef_1%26installdataindex%3Dempty/chrome/install/ChromeStandaloneSetup64.exe| MIT License. © 2018 Red Canary
atomic-red-team T1133.md | extension_id | chrome extension id | String | “fcfhplploccackoneaefokcmbjfbkenj”, “fdcgdnkidjaadafnichfpabhfomcebme”| MIT License. © 2018 Red Canary
atomic-red-team T1133.md New-Item -Path HKLM:\Software\Wow6432Node\Google\Chrome\Extensions$extension -Force MIT License. © 2018 Red Canary
atomic-red-team T1133.md New-ItemProperty -Path “HKLM:\Software\Wow6432Node\Google\Chrome\Extensions$extension” -Name “update_url” -Value “https://clients2.google.com/service/update2/crx” -PropertyType “String” -Force} MIT License. © 2018 Red Canary
atomic-red-team T1133.md Start chrome MIT License. © 2018 Red Canary
atomic-red-team T1133.md Stop-Process -Name “chrome” MIT License. © 2018 Red Canary
atomic-red-team T1133.md Remove-Item -Path “HKLM:\Software\Wow6432Node\Google\Chrome\Extensions$extension” -ErrorAction Ignore} MIT License. © 2018 Red Canary
atomic-red-team T1133.md ##### Description: Chrome must be installed MIT License. © 2018 Red Canary
atomic-red-team T1133.md if ((Test-Path “C:\Program Files\Google\Chrome\Application\chrome.exe”) -Or (Test-Path “C:\Program Files (x86)\Google\Chrome\Application\chrome.exe”)) {exit 0} else {exit 1} MIT License. © 2018 Red Canary
atomic-red-team T1176.md <blockquote>Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser’s app store and generally have access and permissions to everything that the browser can access.(Citation: Wikipedia Browser Extension)(Citation: Chrome Extensions Definition) MIT License. © 2018 Red Canary
atomic-red-team T1176.md Malicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering, or by an adversary that has already compromised a system. Security can be limited on browser app stores so it may not be difficult for malicious extensions to defeat automated scanners.(Citation: Malicious Chrome Extension Numbers) Depending on the browser, adversaries may also manipulate an extension’s update url to install updates from an adversary controlled server or manipulate the mobile configuration file to silently install additional extensions. MIT License. © 2018 Red Canary
atomic-red-team T1176.md Previous to macOS 11, adversaries could silently install browser extensions via the command line using the profiles tool to install malicious .mobileconfig files. In macOS 11+, the use of the profiles tool can no longer install configuration profiles, however .mobileconfig files can be planted and installed with user interaction.(Citation: xorrior chrome extensions macOS) MIT License. © 2018 Red Canary
atomic-red-team T1176.md Once the extension is installed, it can browse to websites in the background,(Citation: Chrome Extension Crypto Miner)(Citation: ICEBRG Chrome Extensions) steal all information that a user enters into a browser (including credentials)(Citation: Banker Google Chrome Extension Steals Creds)(Citation: Catch All Chrome Extension) and be used as an installer for a RAT for persistence. MIT License. © 2018 Red Canary
atomic-red-team T1176.md There have also been instances of botnets using a persistent backdoor through malicious Chrome extensions.(Citation: Stantinko Botnet) There have also been similar examples of extensions being used for command & control.(Citation: Chrome Extension C2 Malware)</blockquote> MIT License. © 2018 Red Canary
atomic-red-team T1176.md - Atomic Test #1 - Chrome (Developer Mode) MIT License. © 2018 Red Canary
atomic-red-team T1176.md - Atomic Test #2 - Chrome (Chrome Web Store) MIT License. © 2018 Red Canary
atomic-red-team T1176.md ## Atomic Test #1 - Chrome (Developer Mode) MIT License. © 2018 Red Canary
atomic-red-team T1176.md Turn on Chrome developer mode and Load Extension found in the src directory MIT License. © 2018 Red Canary
atomic-red-team T1176.md 1. Navigate to chrome://extensions and MIT License. © 2018 Red Canary
atomic-red-team T1176.md ## Atomic Test #2 - Chrome (Chrome Web Store) MIT License. © 2018 Red Canary
atomic-red-team T1176.md Install the “Minimum Viable Malicious Extension” Chrome extension MIT License. © 2018 Red Canary
atomic-red-team T1176.md 1. Navigate to https://chrome.google.com/webstore/detail/minimum-viable-malicious/odlpfdolehmhciiebahbpnaopneicend MIT License. © 2018 Red Canary
atomic-red-team T1176.md in Chrome MIT License. © 2018 Red Canary
atomic-red-team T1176.md 2. Click ‘Add to Chrome’ MIT License. © 2018 Red Canary
atomic-red-team T1204.002.md - Atomic Test #7 - Headless Chrome code execution via VBA MIT License. © 2018 Red Canary
atomic-red-team T1204.002.md ## Atomic Test #7 - Headless Chrome code execution via VBA MIT License. © 2018 Red Canary
atomic-red-team T1204.002.md This module uses Google Chrome combined with ScriptControl to achieve code execution. It spawns a local MIT License. © 2018 Red Canary
atomic-red-team T1204.002.md webserver hosting our malicious payload. Headless Google Chrome will then reach out to this webserver MIT License. © 2018 Red Canary
atomic-red-team T1204.002.md ##### Description: Google Chrome must be installed MIT License. © 2018 Red Canary
atomic-red-team T1204.002.md $chromeInstalled = (Get-Item (Get-ItemProperty ‘HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe’).’(Default)’).VersionInfo.FileName MIT License. © 2018 Red Canary
atomic-red-team T1204.002.md Write-Host “You will need to install Google Chrome manually to meet this requirement” MIT License. © 2018 Red Canary
atomic-red-team T1217.md - Atomic Test #3 - List Google Chrome Bookmark JSON Files on macOS MIT License. © 2018 Red Canary
atomic-red-team T1217.md - Atomic Test #4 - List Google Chrome / Opera Bookmarks on Windows with powershell MIT License. © 2018 Red Canary
atomic-red-team T1217.md - Atomic Test #5 - List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt MIT License. © 2018 Red Canary
atomic-red-team T1217.md ## Atomic Test #3 - List Google Chrome Bookmark JSON Files on macOS MIT License. © 2018 Red Canary
atomic-red-team T1217.md Searches for Google Chrome’s Bookmark file (on macOS) that contains bookmarks in JSON format and lists any found instances to a text file. MIT License. © 2018 Red Canary
atomic-red-team T1217.md | output_file | Path where captured results will be placed. | Path | /tmp/T1217-Chrome.txt| MIT License. © 2018 Red Canary
atomic-red-team T1217.md find / -path “/Google/Chrome//Bookmarks” -exec echo {} » #{output_file} \; MIT License. © 2018 Red Canary
atomic-red-team T1217.md ## Atomic Test #4 - List Google Chrome / Opera Bookmarks on Windows with powershell MIT License. © 2018 Red Canary
atomic-red-team T1217.md Searches for Google Chrome’s and Opera’s Bookmarks file (on Windows distributions) that contains bookmarks. MIT License. © 2018 Red Canary
atomic-red-team T1217.md ## Atomic Test #5 - List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt MIT License. © 2018 Red Canary
atomic-red-team T1555.003.md For example, on Windows systems, encrypted credentials may be obtained from Google Chrome by reading a database file, AppData\Local\Google\Chrome\User Data\Default\Login Data and executing a SQL query: SELECT action_url, username_value, password_value FROM logins;. The plaintext password can then be obtained by passing the encrypted credentials to the Windows API function CryptUnprotectData, which uses the victim’s cached logon credentials as the decryption key. (Citation: Microsoft CryptUnprotectData April 2018) MIT License. © 2018 Red Canary
atomic-red-team T1555.003.md - Atomic Test #1 - Run Chrome-password Collector MIT License. © 2018 Red Canary
atomic-red-team T1555.003.md - Atomic Test #4 - Simulating access to Chrome Login Data MIT License. © 2018 Red Canary
atomic-red-team T1555.003.md ## Atomic Test #1 - Run Chrome-password Collector MIT License. © 2018 Red Canary
atomic-red-team T1555.003.md A modified sysinternals suite will be downloaded and staged. The Chrome-password collector, renamed accesschk.exe, will then be executed from #{file_path}. MIT License. © 2018 Red Canary
atomic-red-team T1555.003.md ## Atomic Test #4 - Simulating access to Chrome Login Data MIT License. © 2018 Red Canary
atomic-red-team T1555.003.md Simulates an adversary accessing encrypted credentials from Google Chrome Login database. MIT License. © 2018 Red Canary
atomic-red-team T1555.003.md Copy-Item “$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Login Data” -Destination $env:temp MIT License. © 2018 Red Canary
atomic-red-team T1555.003.md Copy-Item “$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Login Data For Account” -Destination $env:temp MIT License. © 2018 Red Canary
atomic-red-team T1555.003.md ##### Description: Chrome must be installed MIT License. © 2018 Red Canary
atomic-red-team T1555.003.md if ((Test-Path “C:\Program Files\Google\Chrome\Application\chrome.exe”) -Or (Test-Path “C:\Program Files (x86)\Google\Chrome\Application\chrome.exe”)) {exit 0} else {exit 1} MIT License. © 2018 Red Canary
atomic-red-team T1555.003.md Invoke-WebRequest -OutFile $env:temp\ChromeStandaloneSetup64.msi https://dl.google.com/chrome/install/googlechromestandaloneenterprise64.msi MIT License. © 2018 Red Canary
atomic-red-team T1555.003.md Start-Process -FilePath “chrome.exe” MIT License. © 2018 Red Canary
atomic-red-team T1555.003.md Stop-Process -Name “chrome” MIT License. © 2018 Red Canary
signature-base airbnb_binaryalert.yar description = “Decrypt Google Chrome / Chromium passwords and credit cards on macOS / OS X.” CC BY-NC 4.0
signature-base airbnb_binaryalert.yar $a1 = “Credit Cards for Chrome Profile” wide ascii CC BY-NC 4.0
signature-base airbnb_binaryalert.yar $a2 = “Passwords for Chrome Profile” wide ascii CC BY-NC 4.0
signature-base airbnb_binaryalert.yar $a4 = “ERROR getting Chrome Safe Storage Key” wide ascii CC BY-NC 4.0
signature-base apt_apt27_hyperbro.yar $s2 = “Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.116 Safari/537.36” ascii wide nocase CC BY-NC 4.0
signature-base apt_apt37_bluelight.yar $chrome1 = “Failed to get chrome cookie” CC BY-NC 4.0
signature-base apt_apt37_bluelight.yar 24 of ($chrome*) or CC BY-NC 4.0
signature-base apt_apt41.yar $s3 = “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36” fullword ascii CC BY-NC 4.0
signature-base apt_buckeye.yar $x3 = “Chrome User Data folder where the password file is stored” wide CC BY-NC 4.0
signature-base apt_buckeye.yar $s4 = “Chrome Passwords List!Select the windows profile folder” fullword wide CC BY-NC 4.0
signature-base apt_buckeye.yar $s8 = “Chrome Password Recovery” fullword wide CC BY-NC 4.0
signature-base apt_dragonfly.yar $s7 = “\Appdata\Local\Google\Chrome\User Data\Default\” fullword wide CC BY-NC 4.0
signature-base apt_duqu2.yar $x2 = “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7xs5D9rRDFpg2g” fullword wide CC BY-NC 4.0
signature-base apt_freemilk.yar $s3 = “\Google\Chrome\User Data\Default\Login Data” fullword ascii CC BY-NC 4.0
signature-base apt_hafnium_log_sigs.yar $xr3 = /POST \/owa\/auth\/Current\/[^\n]{100,600} (DuckDuckBot\/1.0;+(+http:\/\/duckduckgo.com\/duckduckbot.html)|facebookexternalhit\/1.1+(+http:\/\/www.facebook.com\/externalhit_uatext.php)|Mozilla\/5.0+(compatible;+Baiduspider\/2.0;++http:\/\/www.baidu.com\/search\/spider.html)|Mozilla\/5.0+(compatible;+Bingbot\/2.0;++http:\/\/www.bing.com\/bingbot.htm)|Mozilla\/5.0+(compatible;+Googlebot\/2.1;++http:\/\/www.google.com\/bot.html|Mozilla\/5.0+(compatible;+Konqueror\/3.5;+Linux)+KHTML\/3.5.5+(like+Gecko)+(Exabot-Thumbnails)|Mozilla\/5.0+(compatible;+Yahoo!+Slurp;+http:\/\/help.yahoo.com\/help\/us\/ysearch\/slurp)|Mozilla\/5.0+(compatible;+YandexBot\/3.0;++http:\/\/yandex.com\/bots)|Mozilla\/5.0+(X11;+Linux+x86_64)+AppleWebKit\/537.36+(KHTML,+like+Gecko)+Chrome\/51.0.2704.103+Safari\/537.3)/ CC BY-NC 4.0
signature-base apt_iamtheking.yar $s3 = “Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.75” ascii fullword CC BY-NC 4.0
signature-base apt_rokrat.yar $a1 = “\Google\Chrome\User Data\Default\Login Data” fullword ascii CC BY-NC 4.0
signature-base apt_shellcrew_streamex.yar $d = “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36” wide CC BY-NC 4.0
signature-base apt_stonedrill.yar $s1 = “WshShell.CopyFile "%COMMON_APPDATA%\Chrome\” ascii CC BY-NC 4.0
signature-base apt_stonedrill.yar $s5 = “ , "%COMMON_APPDATA%\Chrome\” ascii CC BY-NC 4.0
signature-base apt_telebots.yar $s5 = “\Local\Google\Chrome\User Data\Default\Login Data” fullword ascii CC BY-NC 4.0
signature-base apt_turla_mosquito.yar $s1 = “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36” fullword wide CC BY-NC 4.0
signature-base apt_turla_mosquito.yar $a2 = “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36” fullword wide CC BY-NC 4.0
signature-base apt_wilted_tulip.yar description = “Detects Chrome password dumper used in Operation Wilted Tulip” CC BY-NC 4.0
signature-base apt_wilted_tulip.yar $x1 = “%s.exe -f "C:\Users\Admin\Google\Chrome\TestProfile" -o "c:\passlist.txt"” fullword ascii CC BY-NC 4.0
signature-base apt_wilted_tulip.yar $x3 = “//Dump Chrome Passwords to a Output file "c:\passlist.txt"” fullword ascii CC BY-NC 4.0
signature-base apt_xrat.yar $s3 = “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36” fullword wide CC BY-NC 4.0
signature-base crime_bad_patch.yar $s2 = “\Appdata\Local\Google\Chrome\User Data\Default\Login Data.*” fullword wide CC BY-NC 4.0
signature-base crime_bad_patch.yar $s4 = “\Appdata\Local\Google\Chrome\User Data\Default\Cookies.*” fullword wide CC BY-NC 4.0
signature-base crime_credstealer_generic.yar $s5 = “%s\Google\Chrome\User Data\Default\Login Data” fullword ascii CC BY-NC 4.0
signature-base crime_envrial.yar $a3 = “\Google\Chrome\User Data\Default\Login Data” fullword wide CC BY-NC 4.0
signature-base crime_mirai.yar $s1 = “User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.101 Safari/537.36” fullword ascii CC BY-NC 4.0
signature-base crime_rombertik_carbongrabber.yar $s4 = “chrome.exe” fullword ascii CC BY-NC 4.0
signature-base crime_rombertik_carbongrabber.yar $s6 = “chrome.dll” fullword ascii CC BY-NC 4.0
signature-base crime_rombertik_carbongrabber.yar $s8 = “Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome” ascii CC BY-NC 4.0
signature-base crime_socgholish.yar $a2 = “Chrome” ascii CC BY-NC 4.0
signature-base exploit_cve_2015_2426.yar $s3 = “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36” fullword ascii /* PEStudio Blacklist: strings */ CC BY-NC 4.0
signature-base general_cloaking.yar and not filepath contains “Chrome” CC BY-NC 4.0
signature-base generic_anomalies.yar description = “Detects uncommon file size of chrome.exe” CC BY-NC 4.0
signature-base generic_anomalies.yar and filename == “chrome.exe” CC BY-NC 4.0
signature-base mal_passwordstate_backdoor.yar $s3 = “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.128 Safari” wide fullword CC BY-NC 4.0
signature-base spy_equation_fiveeyes.yar $s5 = “Chrome” fullword wide CC BY-NC 4.0
signature-base thor-hacktools.yar $s4 = “softwares.chrome(“ fullword ascii CC BY-NC 4.0
stockpile 830bb6ed-9594-4817-b1a1-c298c0f9f425.yml name: Check Chrome Apache-2.0
stockpile 830bb6ed-9594-4817-b1a1-c298c0f9f425.yml description: Check to see if Gooogle Chrome browser is installed Apache-2.0
stockpile 830bb6ed-9594-4817-b1a1-c298c0f9f425.yml which google-chrome Apache-2.0
stockpile b007fc38-9eb7-4320-92b3-9a3ad3e6ec25.yml name: Get Chrome Bookmarks Apache-2.0
stockpile b007fc38-9eb7-4320-92b3-9a3ad3e6ec25.yml description: Get Chrome Bookmarks Apache-2.0
stockpile b007fc38-9eb7-4320-92b3-9a3ad3e6ec25.yml cat ~/Library/Application\ Support/Google/Chrome/Default/Bookmarks Apache-2.0
stockpile b007fc38-9eb7-4320-92b3-9a3ad3e6ec25.yml - source: host.chrome.bookmark_title Apache-2.0
stockpile b007fc38-9eb7-4320-92b3-9a3ad3e6ec25.yml target: host.chrome.bookmark_url Apache-2.0
stockpile de52784d-4de6-4d4e-b79e-e7b68fe037fb.yml osascript bookmark.scpt #{host.chrome.bookmark_title[filters(max=1)]} #{server.malicious.url[filters(max=1)]} Apache-2.0
stockpile 110cea7a-5b03-4443-92ee-7ccefaead451.yml $userAgentField = \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36\"; Apache-2.0
stockpile ea713bc4-63f0-491c-9a6f-0b01d560b87e.yml $client.DefaultRequestHeaders.Add("User-Agent","Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36"); Apache-2.0

MIT License. Copyright (c) 2020-2021 Strontic.