uberAgent

Building a Browser Extension Inventory Report (Chrome/Edge/Firefox)

This article shows how to collect detailed inventory information about all installed browser extensions. The solution presented includes a Splunk dashboard that visualizes the collected data.

The scripts listed in this guide are managed in vast limits’ public GitHub repository.

Solution Brief: Browser Extension Inventory

  1. Extensions and metadata are stored in browser profiles.
  2. A PowerShell script extracts extension info from browser profiles. The script inspects all browser profiles in the current user’s Windows user profile.
  3. The script is executed by uberAgent for each user logged on to the endpoint. The script’s output is captured by uberAgent and forwarded to the (Splunk) backend.
  4. A Splunk dashboard visualizes the collected data.

Background Information

Listing Chrome Profiles

Getting the Location of the User Data Directory

  • Default location on Windows: %LocalAppData%\Google\Chrome\User Data
  • Documentation

Parsing the JSON file ‘Local State’ to Find Profile Directories

  1. Profile objects are children of the following: profile > info_cache
  2. Profile properties related to the user:

    • gaia_given_name
    • gaia_id
    • gaia_name
    • name
    • shortcut_name
    • user_name
  3. Profile names

    • Default profile: Default
    • Additional profiles: Profile
  4. Locating profile directories

    • Profile directories are subdirectories of the user data directory
    • Names of profile directories are idential to profile names

Listing Edge Profiles

Getting the Location of the User Data Directory

  • Default location on Windows: %LocalAppData%\Microsoft\Edge\User Data
  • Everything else is identical to Chrome

Collecting Chrome Extension Inventory Data

‘Preferences’ vs. ‘Secure Preferences’

Extensions are listed in one of two possible JSON files located in the profile directory: Preferences or Secure Preferences. The script checks both.

Note: Secure Preferences is typically used instead of the Preferences file.

Extension Settings

Extension settings are children of the following: extensions > settings > <extension ID>.

Relevant settings for inventory purposes include:

  • from_webstore: was the extension installed from the Chrome Web Store?
  • install_time: timestamp of the last update (format: FILETIME / 10 [= microseconds since Jan 1st 1601])
  • path: extension path, either absolute or relative to the profile subdirectory Extensions
  • location: 1 = user data subdirectory Extensions, 5 = Chrome installation directory
  • state: 1 = enabled
  • was_installed_by_default: [part of Chrome, not removable?]
  • version: extension version

Collecting Firefox Extension Inventory Data

Getting the Location of the Profile Directory

  • Default location on Windows: %AppData%\Mozilla\Firefox\Profiles

Extension Settings

The configuration of Firefox extensions is stored in each profile’s extensions.json file. Within that file, extension settings are children of: addons.

Relevant settings for inventory purposes include:

  • sourceURI: installation source (Firefox Addons or a different site?)
  • updateDate: timestamp of the last update (format: Unix epoch in ms)
  • location: app-profile = browser profile
  • active: true = enabled
  • version: extension version

Configuring uberAgent to Run the Inventory Script

Note: you can find the latest version of the script in vast limits’ public GitHub repository.

  1. Store the script file in C:\Program Files\vast limits\uberAgent\scripts as Get-BrowserExtensionInfo.ps1.
  2. Create a new timer in uberAgent’s configuration. With the settings shown below, the script is executed in each user session five minutes after uberAgent is started. The script execution is repeated every 24 hours.
[Timer]
Name              = BrowserExtensionInventory
Interval          = 86400000
Start delay       = 300000
Persist interval  = true
Script            = powershell.exe -executionpolicy bypass -file "C:\Program Files\vast limits\uberAgent\Scripts\Get-BrowserExtensionInfo.ps1"
ScriptContext     = UserSessionAsUser
<!--NeedCopy-->

Restart the agent to start collecting data.

Script Output

The output from the inventory script looks like this:

OsUser="helge" Browser="Chrome" ProfileDir="Default" ProfileName="Person 1" ProfileGaiaName="Helge Klein" ProfileUserName="email@domain.com" ExtensionId="cmcmennehclgdccnlmnjladhlkmclbkb" ExtensionName="uberAgent" ExtensionVersion="3.0.6" ExtensionFromWebstore="True" ExtensionState="1" ExtensionInstallTime="1606912508508" ExtensionInstalledByDefault="False"
<!--NeedCopy-->

Splunk Dashboard

Once inventory data is sent from endpoints with uberAgent to Splunk, install the Splunk app that is part of this practice guide. You can find it in this guide’s GitHub repository or in Splunkbase.

The dashboard provides a timeline of the top 10 extensions along with a data table listing all browser extensions. Selecting an extension’s row in the table brings up additional charts and tables that list all extension instances in full detail.

uberAgent-Browser-Extension-Inventory-Splunk-dashboard

Building a Browser Extension Inventory Report (Chrome/Edge/Firefox)