Post-Image

Falcon Friday: Detecting Malicious Browser Extensions and code signing

We believe there isn’t enough content available to detect advanced adversary techniques. That’s why every two weeks on “Falcon Friday”, we will release hunting queries to detect offensive techniques. Today; part two.

The Falcon Friday series continues! We hope you’ve had the chance to start working with our previous queries and are now releasing new hunting queries which hopefully helps you in detecting mischief. For reference purposes we tagged the series as 0xFF01, making it easier to track the content.

Today’s content:

-> Detecting suspicious or unknown browser extensions

-> Detecting binaries with questionable code signing certificates connecting to the internet

We love to hear back from you on the results. Any feedback or suggestions for improvements are welcome. Feel free to create pull requests (PR) if you have improvements which can benefit the community. We will make sure to cover your PRs in the blog following your PR.

Cross post from medium.com, please read the full article here:

https://medium.com/falconforce/falcon-friday-detecting-malicious-browser-extensions-and-code-signing-0xff01-db622e6a6519

Direct link to our Github page:

https://github.com/FalconForceTeam/FalconFriday