Hello, welcome to the Friday, February 5th, 2021 edition of the Sansonet Storm Center's Stormcast. My name is Johannes Ulrich. And today I'm recording from Jacksonville, Florida.

Today we got an interesting diary by Boyan. Boyan recently investigated a compromise that was performed by a somewhat more advanced adversary

and targeted against a particular company.

After this attacker was able to compromise a desktop,

they used a Google Chrome extension in order to achieve persistence

on that desktop.

Google Chrome extensions, of course, are interesting because first of all, they have full

control over whatever you're doing in Google, and then they're a little bit more stealthy.

In this particular case, they actually named the Google extension. in Google and then they're a little bit more stealthy.

In this particular case, they actually named the Google extension ForcePoint endpoint for Windows.

So this looks like some legitimate software that you may get as part of the Force Point Security Suite. And then, of course, they were able to observe the user browsing

and they were able to exfiltrate or extract

any authentication tokens from sessions

that the user opened within that browser.

With these Google Chrome extensions, you essentially can write JavaScript code that's then being loaded in the browser,

and that has the ability to modify any page that the user visits, and that's in part the point of many Google Chrome extensions.

But it gets really sort of interesting is how they exfiltrated the data.

With Google Chrome extensions, you have some storage available on the system.

Now, it's not a lot of storage, I believe a total of about 100 kilobytes or so.

It's a simple sort of key value storage and it feels a

little bit like cookies. Each value, I believe, is about 8 kilobytes in size max. But in addition to

being able to just store the data, Google Chrome extensions also have a feature that allows

...