Running Chrome VPN Extensions via the Registry 2 VPN Extension

Severity: high
Author: frack113
Source: upstream

Running Chrome VPN Extensions via the Registry install 2 vpn extension

MITRE ATT&CK coverage

Tactic	Techniques
Initial Access	`T1133` External Remote Services
Persistence	`T1133` External Remote Services

Event coverage

Provider	Event ID	Title
Sysmon	13	RegistryEvent (Value Set)

Stages and Predicates

Stage 1: `all of chrome_ext`

TargetObject|endswith: update_url
TargetObject|contains: 'Software\Wow6432Node\Google\Chrome\Extensions'

Stage 2: `all of chrome_vpn`

or:
TargetObject|contains: aakchaleigkohafkfjfjbblobjifikek
TargetObject|contains: aigmfoeogfnljhnofglledbhhfegannp
TargetObject|contains: akeehkgglkmpapdnanoochpfmeghfdln
TargetObject|contains: akkbkhnikoeojlhiiomohpdnkhbkhieh
TargetObject|contains: almalgbpmcfpdaopimbdchdliminoign
TargetObject|contains: amnoibeflfphhplmckdbiajkjaoomgnj
TargetObject|contains: aojlhgbkmkahabcmcpifbolnoichfeep
TargetObject|contains: apcfdffemoinopelidncddjbhkiblecc
TargetObject|contains: bblcccknbdbplgmdjnnikffefhdlobhp
TargetObject|contains: bdlcnpceagnkjnjlbbbcepohejbheilk
TargetObject|contains: bfidboloedlamgdmenmlbipfnccokknp
TargetObject|contains: bhnhkdgoefpmekcgnccpnhjfdgicfebm
TargetObject|contains: bibjcjfmgapbfoljiojpipaooddpkpai
TargetObject|contains: bihhflimonbpcfagfadcnbbdngpopnjb
TargetObject|contains: bihmplhobchoageeokmgbdihknkjbknd
TargetObject|contains: bkkgdjpomdnfemhhkalfkogckjdkcjkg
TargetObject|contains: bniikohfmajhdcffljgfeiklcbgffppl
TargetObject|contains: bnijmipndnicefcdbhgcjoognndbgkep
TargetObject|contains: cgojmfochfikphincbhokimmmjenhhgk
TargetObject|contains: chioafkonnhbpajpengbalkececleldf
TargetObject|contains: ckiahbcmlmkpfiijecbpflfahoimklke
TargetObject|contains: cocfojppfigjeefejbpfmedgjbpchcng
TargetObject|contains: dbdbnchagbkhknegmhgikkleoogjcfge
TargetObject|contains: dfkdflfgjdajbhocmfjolpjbebdkcjog
TargetObject|contains: dhadilbmmjiooceioladdphemaliiobo
TargetObject|contains: dpplabbmogkhghncfbfdeeokoefdjegm
TargetObject|contains: edknjdjielmpdlnllkdmaghlbpnmjmgb
TargetObject|contains: egblhcjfjmbjajhjhpmnlekffgaemgfh
TargetObject|contains: ehbhfpfdkmhcpaehaooegfdflljcnfec
TargetObject|contains: eidnihaadmmancegllknfbliaijfmkgo
TargetObject|contains: ejkaocphofnobjdedneohbbiilggdlbi
TargetObject|contains: eppiocemhmnlbhjplcgkofciiegomcon
TargetObject|contains: fcfhplploccackoneaefokcmbjfbkenj
TargetObject|contains: fdcgdnkidjaadafnichfpabhfomcebme
TargetObject|contains: ffbkglfijbcbgblgflchnbphjdllaogb
TargetObject|contains: ffhhkmlgedgcliajaedapkdfigdobcif
TargetObject|contains: fgddmllnllkalaagkghckoinaemmogpe
TargetObject|contains: ficajfeojakddincjafebjmfiefcmanc
TargetObject|contains: fjoaledfpmneenckfbpdfhkmimnjocfa
TargetObject|contains: foiopecknacmiihiocgdjgbjokkpkohc
TargetObject|contains: gbfgfbopcfokdpkdigfmoeaajfmpkbnh
TargetObject|contains: gbmdmipapolaohpinhblmcnpmmlgfgje
TargetObject|contains: gcknhkkoolaabfmlnjonogaaifnjlfnp
TargetObject|contains: ggackgngljinccllcmbgnpgpllcjepgc
TargetObject|contains: gjknjjomckknofjidppipffbpoekiipm
TargetObject|contains: gkojfkhlekighikafcpjkiklfbnlmeio
TargetObject|contains: hhdobjgopfphlmjbmnpglhfcgppchgje
TargetObject|contains: higioemojdadgdbhbbbkfbebbdlfjbip
TargetObject|contains: hipncndjamdcmphkgngojegjblibadbe
TargetObject|contains: hnmpcagpplmpfojmgmnngilcnanddlhb
TargetObject|contains: hoapmlpnmpaehilehggglehfdlnoegck
TargetObject|contains: ifnaibldjfdmaipaddffmgcmekjhiloa
TargetObject|contains: igahhbkcppaollcjeaaoapkijbnphfhb
TargetObject|contains: inligpkjkhbpifecbdjhmdpcfhnlelja
TargetObject|contains: iocnglnmfkgfedpcemdflhkchokkfeii
TargetObject|contains: iolonopooapdagdemdoaihahlfkncfgg
TargetObject|contains: jajilbjjinjmgcibalaakngmkilboobh
TargetObject|contains: jbnmpdkcfkochpanomnkhnafobppmccn
TargetObject|contains: jdgilggpfmjpbodmhndmhojklgfdlhob
TargetObject|contains: jedieiamjmoflcknjdjhpieklepfglin
TargetObject|contains: jgbaghohigdbgbolncodkdlpenhcmcge
TargetObject|contains: jliodmnojccaloajphkingdnpljdhdok
TargetObject|contains: jljopmgdobloagejpohpldgkiellmfnc
TargetObject|contains: jpgljfpmoofbmlieejglhonfofmahini
TargetObject|contains: jplnlifepflhkbkgonidnobkakhmpnmh
TargetObject|contains: kcdahmgmaagjhocpipbodaokikjkampi
TargetObject|contains: kchocjcihdgkoplngjemhpplmmloanja
TargetObject|contains: kcndmbbelllkmioekdagahekgimemejo
TargetObject|contains: keodbianoliadkoelloecbhllnpiocoi
TargetObject|contains: klnkiajpmpkkkgpgbogmcgfjhdoljacg
TargetObject|contains: knajdeaocbpmfghhmijicidfcmdgbdpm
TargetObject|contains: knmmpciebaoojcpjjoeonlcjacjopcpf
TargetObject|contains: kpiecbcckbofpmkkkdibbllpinceiihk
TargetObject|contains: lcmammnjlbmlbcaniggmlejfjpjagiia
TargetObject|contains: lejgfmmlngaigdmmikblappdafcmkndb
TargetObject|contains: lklekjodgannjcccdlbicoamibgbdnmi
TargetObject|contains: llbhddikeonkpbhpncnhialfbpnilcnc
TargetObject|contains: lneaocagcijjdpkcabeanfpdbmapcjjg
TargetObject|contains: lnfdmdhmfbimhhpaeocncdlhiodoblbd
TargetObject|contains: lochiccbgeohimldjooaakjllnafhaid
TargetObject|contains: macdlemfnignjhclfcfichcdhiomgjjb
TargetObject|contains: majdfhpaihoncoakbjgbdhglocklcgno
TargetObject|contains: mhngpdlhojliikfknhfaglpnddniijfh
TargetObject|contains: mjnbclmflcpookeapghfhapeffmpodij
TargetObject|contains: mjolnodfokkkaichkcjipfgblbfgojpa
TargetObject|contains: mpcaainmfjjigeicjnlkdfajbioopjko
TargetObject|contains: nabbmpekekjknlbkgpodfndbodhijjem
TargetObject|contains: namfblliamklmeodpcelkokjbffgmeoo
TargetObject|contains: nbcojefnccbanplpoffopkoepjmhgdgh
TargetObject|contains: nhfjkakglbnnpkpldhjmpmmfefifedcj
TargetObject|contains: nhnfcgpcbfclhfafjlooihdfghaeinfc
TargetObject|contains: njpmifchgidinihmijhcfpbdmglecdlb
TargetObject|contains: nlbejmccbhkncgokjcmghpfloaajcffj
TargetObject|contains: npgimkapccfidfkfoklhpkgmhgfejhbj
TargetObject|contains: oifjbnnafapeiknapihcmpeodaeblbkn
TargetObject|contains: omdakjcmkglenbhjadbccaookpfjihpa
TargetObject|contains: omghfjlpggmjjaagoclmmobgdodcjboh
TargetObject|contains: oofgbpoabipfcfjapgnbbjjaenockbdp
TargetObject|contains: ookhnhpkphagefgdiemllfajmkdkcaim
TargetObject|contains: padekgcemlokbadohgkifijomclgjgif
TargetObject|contains: pcienlhnoficegnepejpfiklggkioccm
TargetObject|contains: pgfpignfckbloagkfnamnolkeaecfgfh
TargetObject|contains: plpmggfglncceinmilojdkiijhmajkjh
TargetObject|contains: poeojclicodamonabcabmapamjkkmnnk
TargetObject|contains: pooljnboifbodgifngpppfklhifechoe
TargetObject|contains: ppajinakbfocjfnijggfndbdmjggcmde

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`TargetObject`	ends_with	`update_url`
`TargetObject`	match	`Software\Wow6432Node\Google\Chrome\Extensions` `aakchaleigkohafkfjfjbblobjifikek` `aigmfoeogfnljhnofglledbhhfegannp` `akeehkgglkmpapdnanoochpfmeghfdln` `akkbkhnikoeojlhiiomohpdnkhbkhieh` `almalgbpmcfpdaopimbdchdliminoign` `amnoibeflfphhplmckdbiajkjaoomgnj` `aojlhgbkmkahabcmcpifbolnoichfeep` `apcfdffemoinopelidncddjbhkiblecc` `bblcccknbdbplgmdjnnikffefhdlobhp` `bdlcnpceagnkjnjlbbbcepohejbheilk` `bfidboloedlamgdmenmlbipfnccokknp` `bhnhkdgoefpmekcgnccpnhjfdgicfebm` `bibjcjfmgapbfoljiojpipaooddpkpai` `bihhflimonbpcfagfadcnbbdngpopnjb` `bihmplhobchoageeokmgbdihknkjbknd` `bkkgdjpomdnfemhhkalfkogckjdkcjkg` `bniikohfmajhdcffljgfeiklcbgffppl` `bnijmipndnicefcdbhgcjoognndbgkep` `cgojmfochfikphincbhokimmmjenhhgk` `chioafkonnhbpajpengbalkececleldf` `ckiahbcmlmkpfiijecbpflfahoimklke` `cocfojppfigjeefejbpfmedgjbpchcng` `dbdbnchagbkhknegmhgikkleoogjcfge` `dfkdflfgjdajbhocmfjolpjbebdkcjog` `dhadilbmmjiooceioladdphemaliiobo` `dpplabbmogkhghncfbfdeeokoefdjegm` `edknjdjielmpdlnllkdmaghlbpnmjmgb` `egblhcjfjmbjajhjhpmnlekffgaemgfh` `ehbhfpfdkmhcpaehaooegfdflljcnfec` `eidnihaadmmancegllknfbliaijfmkgo` `ejkaocphofnobjdedneohbbiilggdlbi` `eppiocemhmnlbhjplcgkofciiegomcon` `fcfhplploccackoneaefokcmbjfbkenj` `fdcgdnkidjaadafnichfpabhfomcebme` `ffbkglfijbcbgblgflchnbphjdllaogb` `ffhhkmlgedgcliajaedapkdfigdobcif` `fgddmllnllkalaagkghckoinaemmogpe` `ficajfeojakddincjafebjmfiefcmanc` `fjoaledfpmneenckfbpdfhkmimnjocfa` `foiopecknacmiihiocgdjgbjokkpkohc` `gbfgfbopcfokdpkdigfmoeaajfmpkbnh` `gbmdmipapolaohpinhblmcnpmmlgfgje` `gcknhkkoolaabfmlnjonogaaifnjlfnp` `ggackgngljinccllcmbgnpgpllcjepgc` `gjknjjomckknofjidppipffbpoekiipm` `gkojfkhlekighikafcpjkiklfbnlmeio` `hhdobjgopfphlmjbmnpglhfcgppchgje` `higioemojdadgdbhbbbkfbebbdlfjbip` `hipncndjamdcmphkgngojegjblibadbe` `hnmpcagpplmpfojmgmnngilcnanddlhb` `hoapmlpnmpaehilehggglehfdlnoegck` `ifnaibldjfdmaipaddffmgcmekjhiloa` `igahhbkcppaollcjeaaoapkijbnphfhb` `inligpkjkhbpifecbdjhmdpcfhnlelja` `iocnglnmfkgfedpcemdflhkchokkfeii` `iolonopooapdagdemdoaihahlfkncfgg` `jajilbjjinjmgcibalaakngmkilboobh` `jbnmpdkcfkochpanomnkhnafobppmccn` `jdgilggpfmjpbodmhndmhojklgfdlhob` `jedieiamjmoflcknjdjhpieklepfglin` `jgbaghohigdbgbolncodkdlpenhcmcge` `jliodmnojccaloajphkingdnpljdhdok` `jljopmgdobloagejpohpldgkiellmfnc` `jpgljfpmoofbmlieejglhonfofmahini` `jplnlifepflhkbkgonidnobkakhmpnmh` `kcdahmgmaagjhocpipbodaokikjkampi` `kchocjcihdgkoplngjemhpplmmloanja` `kcndmbbelllkmioekdagahekgimemejo` `keodbianoliadkoelloecbhllnpiocoi` `klnkiajpmpkkkgpgbogmcgfjhdoljacg` `knajdeaocbpmfghhmijicidfcmdgbdpm` `knmmpciebaoojcpjjoeonlcjacjopcpf` `kpiecbcckbofpmkkkdibbllpinceiihk` `lcmammnjlbmlbcaniggmlejfjpjagiia` `lejgfmmlngaigdmmikblappdafcmkndb` `lklekjodgannjcccdlbicoamibgbdnmi` `llbhddikeonkpbhpncnhialfbpnilcnc` `lneaocagcijjdpkcabeanfpdbmapcjjg` `lnfdmdhmfbimhhpaeocncdlhiodoblbd` `lochiccbgeohimldjooaakjllnafhaid` `macdlemfnignjhclfcfichcdhiomgjjb` `majdfhpaihoncoakbjgbdhglocklcgno` `mhngpdlhojliikfknhfaglpnddniijfh` `mjnbclmflcpookeapghfhapeffmpodij` `mjolnodfokkkaichkcjipfgblbfgojpa` `mpcaainmfjjigeicjnlkdfajbioopjko` `nabbmpekekjknlbkgpodfndbodhijjem` `namfblliamklmeodpcelkokjbffgmeoo` `nbcojefnccbanplpoffopkoepjmhgdgh` `nhfjkakglbnnpkpldhjmpmmfefifedcj` `nhnfcgpcbfclhfafjlooihdfghaeinfc` `njpmifchgidinihmijhcfpbdmglecdlb` `nlbejmccbhkncgokjcmghpfloaajcffj` `npgimkapccfidfkfoklhpkgmhgfejhbj` `oifjbnnafapeiknapihcmpeodaeblbkn` `omdakjcmkglenbhjadbccaookpfjihpa` `omghfjlpggmjjaagoclmmobgdodcjboh` `oofgbpoabipfcfjapgnbbjjaenockbdp` `ookhnhpkphagefgdiemllfajmkdkcaim` `padekgcemlokbadohgkifijomclgjgif` `pcienlhnoficegnepejpfiklggkioccm` `pgfpignfckbloagkfnamnolkeaecfgfh` `plpmggfglncceinmilojdkiijhmajkjh` `poeojclicodamonabcabmapamjkkmnnk` `pooljnboifbodgifngpppfklhifechoe` `ppajinakbfocjfnijggfndbdmjggcmde`