PowerShell #5 – Browser Extensions

This is one of the posts from the PoweshellIT series in which we get common and sometimes not so common use cases and try to simplify/automate them using PowerShell.

Today’s Use Case

Identify installed browser extension for a user. Cover popular browsers: FireFox, Chrome, Edge and Internet Explorer.
It should accept username as input and have parameters to get extensions for all browsers or specified ones. Also it should provide analysis on installed extensions like is it suspicious/malicious etc.

Infrastructure overview

Disclaimer: Our goal is to get list of extensions and provide all the analytics to the user (description, functionality, risk score etc) and present it in meaningful way. Ultimate responsibility and decision making about keeping/deleting extension(s) is up to user.

Context

Very interesting task as most of the users are religiously using browser Extensions for productivity. Typically end user can install a bunch of extensions and even some questionable one. As there is myriad of extensions it would be useful to check if browser Extensions used by end user are considered malicious or not. Also in most the cases some description about functionality and use cases of using those extension help to decide what to keep and what to kill.

Challenges

  • Multiple browsers are storing extensions in different locations.
  • Risk model might be required to perform a due diligent check before marking extension suspicious.
  • We need to find/use some free and trustworthy service to analyze if extensions are malicious and/or suspicious.
  • We might need to query each supported browser extension store to get more info about extension
  • Simple reporting. Make sure that result are presented in concise and easy to understand manner.

Proposed solution

Simple and elegant PowerShell function Get-InstalledBrowserExstension

Pseudo code

Check if user exist
foreach user & browser specified
 Get Installed Browser Extension
foreach identified extension
 Get Extension Risk Rating

It has been wrapped into PowerShell module called BrowserExtensions.

Module contains 4 functions:

  • Get-ExtensionRiskRating
  • Get-ChromeInstalledExtension
  • Get-FirefoxInstalledExtension
  • Get-InstalledBrowserExtension

Get-ExtensionRiskRating

Get Specific Extension Risk Rating using crxcavator.io API. Reference

EXAMPLE

Get Risk rating for specific extension.

Get-ExtensionRiskRating -ExtensionID "{33730d30-3c0a-46f7-be41-3e0cda806b94}" -ExtensionVersion "1.2.1" -ExtensionPlatform "Firefox" -Verbose

Get-ChromeInstalledExtension

Get installed Google Chrome and Microsoft Edge browser extensions for specific user. Gets all enabled extensions from all Chrome and Edge profiles.

EXAMPLE

Get Google Chrome installed extensions for user andys.

Get-ChromeInstalledExtension -Username andys -Verbose

EXAMPLE

Get Microsoft Edge installed extensions for user andys.

Get-ChromeInstalledExtension -Username andys -Edge -Verbose 

Get-FirefoxInstalledExtension

Get installed Mozilla Firefox browser extensions for specific user. Gets all enabled extensions from all Firefox profiles.

EXAMPLE

Get Firefox installed extensions for user andys.

Get-FirefoxInstalledExtension -Username andys -Verbose

Get-InstalledBrowserExtension

Get Installed Browser Extensions and analyzing Risk Rating  using crxcavator.io API. Supported browsers: Firefox, Chrome and Edge.

EXAMPLE

Get installed Firefox, Chrome and Edge browser extensions for all users and get Risk rating for each extension.

Get-InstalledBrowserExtension -Browser FireFox,Edge,Chrome -Verbose

All of the source code is available in PowerShellIT repository on the GitHub.

Thanks a lot for reading.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.