Skip to content

Chrome Extension Metadata Target and Module #1070

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
AndrewRathbun merged 5 commits into from
Oct 27, 2025
Merged

Chrome Extension Metadata Target and Module #1070

AndrewRathbun merged 5 commits into from
Oct 27, 2025

Conversation

@Reuerb
Copy link
Contributor

@Reuerb Reuerb commented Oct 27, 2025

Adding Chrome extension metadata parser target and module. Analyzes manifest and messages JSON files.

Description

The ChromeExtension_Metadata.tkape file pulls the manifest/messages.json files from each extension on the host.
The PowerShell_ChromeExtension_Metadata.mkape file leverages a simple PowerShell script to go through each of the JSON files to pull out:

  • Chrome extension friendly name
  • Description
  • Extension ID
  • Version
  • Permissions
  • Host permissions

Finally, the results are put into a CSV for review. While some responders have enterprise-grade tools to assist in the permission review of extensions, this will help those less fortunate to identify malicious/unwanted extensions, and then pivot/hunt. As we know, browser extensions continue to be an issue.

Checklist:

Please replace every instance of [ ] with [X] OR click on the checkboxes after you submit your PR

  • I have generated a unique GUID for my Target(s)/Module(s)
  • I have placed the Target(s)/Module(s) in an appropriate subfolder in Targets or Modules. If one doesn't exist, I have either added it to the Misc folder or created a relevant subfolder with justification
  • I have set or updated the version of my Target(s)/Module(s)
  • I have verified that KAPE parses the Target(s)/Module(s) successfully via kape.exe, using --tlist/--mlist and corrected any errors
  • I have validated my Target(s)/Module(s) against test data and verified they are working as intended
  • I have made an attempt to document the artifacts within the Target(s) or Module(s) I am submitting. If documentation doesn't exist, I have placed N/A underneath the Documentation header
  • For Targets, I have consulted either the Target Guide, Target Template, Compound Target Guide, or Compound Target Template to ensure my Target(s) follow the same format
  • For Modules, I have consulted either the Module Guide, Module Template, Compound Module Guide, or Compound Module Template to ensure my Module(s) follow the same format

If your submission involves an SQLite database, have you considered making an SQLECmd Map for the SQLite database? If you make a Map, please add the SQLite database to the SQLiteDatabases.tkape Compound Target.

Thank you for your submission and for contributing to the DFIR community!

@Reuerb
Chrome Extension Metadata Target and Module
8af4da1 
Adding Chrome extension metadata parser target and module. Analyzes manifest and messages JSON files.
@AndrewRathbun AndrewRathbun self-assigned this Oct 27, 2025
@AndrewRathbun AndrewRathbun added the enhancement New feature or request label Oct 27, 2025
@AndrewRathbun AndrewRathbun merged commit 66d0831 into EricZimmerman:master Oct 27, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AndrewRathbun AndrewRathbun AndrewRathbun approved these changes

Assignees

@AndrewRathbun AndrewRathbun

Labels

enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Reuerb @AndrewRathbun