This is one of the posts from the PoweshellIT series in which we get common and sometimes not so common use cases and try to simplify/automate them using PowerShell.
Today’s Use Case
Identify installed browser extension for a user. Cover popular browsers: FireFox, Chrome, Edge and Internet Explorer.
It should accept username as input and have parameters to get extensions for all browsers or specified ones. Also it should provide analysis on installed extensions like is it suspicious/malicious etc.
Infrastructure overview
Disclaimer: Our goal is to get list of extensions and provide all the analytics to the user (description, functionality, risk score etc) and present it in meaningful way. Ultimate responsibility and decision making about keeping/deleting extension(s) is up to user.
Context
Very interesting task as most of the users are religiously using browser Extensions for productivity. Typically end user can install a bunch of extensions and even some questionable one. As there is myriad of extensions it would be useful to check if browser Extensions used by end user are considered malicious or not. Also in most the cases some description about functionality and use cases of using those extension help to decide what to keep and what to kill.
Challenges
- Multiple browsers are storing extensions in different locations.
- Risk model might be required to perform a due diligent check before marking extension suspicious.
- We need to find/use some free and trustworthy service to analyze if extensions are malicious and/or suspicious.
- We might need to query each supported browser extension store to get more info about extension
- Simple reporting. Make sure that result are presented in concise and easy to understand manner.
Proposed solution
Simple and elegant PowerShell function Get-InstalledBrowserExstension
Pseudo code
Check if user exist foreach user & browser specified Get Installed Browser Extension foreach identified extension Get Extension Risk Rating
It has been wrapped into PowerShell module called BrowserExtensions.
Module contains 4 functions:
Get-ExtensionRiskRating
Get-ChromeInstalledExtension
Get-FirefoxInstalledExtension
Get-InstalledBrowserExtension
Get-ExtensionRiskRating
Get Specific Extension Risk Rating using crxcavator.io API. Reference
EXAMPLE
Get Risk rating for specific extension.
Get-ExtensionRiskRating -ExtensionID "{33730d30-3c0a-46f7-be41-3e0cda806b94}" -ExtensionVersion "1.2.1" -ExtensionPlatform "Firefox" -Verbose
Get-ChromeInstalledExtension
Get installed Google Chrome and Microsoft Edge browser extensions for specific user. Gets all enabled extensions from all Chrome and Edge profiles.
EXAMPLE
Get Google Chrome installed extensions for user andys.
Get-ChromeInstalledExtension -Username andys -Verbose
EXAMPLE
Get Microsoft Edge installed extensions for user andys.
Get-ChromeInstalledExtension -Username andys -Edge -Verbose
Get-FirefoxInstalledExtension
Get installed Mozilla Firefox browser extensions for specific user. Gets all enabled extensions from all Firefox profiles.
EXAMPLE
Get Firefox installed extensions for user andys.
Get-FirefoxInstalledExtension -Username andys -Verbose
Get-InstalledBrowserExtension
Get Installed Browser Extensions and analyzing Risk Rating using crxcavator.io API. Supported browsers: Firefox, Chrome and Edge.
EXAMPLE
Get installed Firefox, Chrome and Edge browser extensions for all users and get Risk rating for each extension.
Get-InstalledBrowserExtension -Browser FireFox,Edge,Chrome -Verbose
All of the source code is available in PowerShellIT repository on the GitHub.
Thanks a lot for reading.