Услуги по информационной безопасности и SIEM

A Study of Chrome Remote Desktop Extension

In the security industry -- there are many tools out there which can be so useful to administrators (or children who become the administrators to their parents computers when they move out of the house) but can also be used for other, more nefarious reasons. Once such thing is Chrome Extensions.

It's impressive what you can duct tape onto a browser. You have time saving extensions, money saving extensions, just fun extensions. The list goes on and on. Some of these are perfectly harmless. Some claim to be harmless, but indeed are not. Heck there were 500 cases of this not too long ago. Then there are the ones that can be very useful for smaller companies or assisting a friend/relative but could also be used to circumnavigate security controls. Or, even used in FakeAV scams or similar. 

So this extension is by no means malicious -- so please don't think I am inferring that. What I hope this post does is make you think about extensions in your organization and if/how you are monitoring them.

If you want a quick way to sanity check an extension try CRXcavator. You can see the results of Chrome Remote Desktop.  

Chrome Remote Desktop

I can immediately see the value in this extension. It's basically remote desktop via your Chrome browser. And it's so simple to use. I am also cheating a bit -- this is an extenstion which (if you want to receive support) is also an app. As this isn't malware -- the app does not try to be stealthy. However as an analyst I find it useful to have multiple data points to search across your environment for. Anyways... off we go.

There are three different aspects for this extension. There is the installation of the extension, giving support to someone else (which requires nothing else), or getting support from someone else, which does require installation of an additional application.

Extension Installation

permissions.png
You can find the Chrome Remote Desktop Extension on the Chrome Store. The long garbley-gook in the URL will become important later. Anyways you click 'Add to Chrome' and its pretty much that simple. Oh but there is this one thing. You have to simply click 'Add extension'... never mind what it can do. To be fair it IS a remote desktop tool so this seems obvious, however if this was say, a calculator extension, should it need to be able to do all of this? Many people don't care and just want the cool extension. You know those free extensions that say "we will find you the lowest price on an item" for you? They are not doing it out of the goodness of their hearts. They are more than likely collecting data about you and selling it to various companies. Anonymized? Uh... sure maybe?

I used Noriben to record host changes. It's a great free tool which utlises ProcMon to monitor changes and filter out a good chunk of 'normal OS' stuff which can make ProcMon output a bt harder to parse. 

Artifacts

Not a lot of host artifacts per se here that maintain persistence. But obviously the big one here is the extension itself.  

%LocalAppData%\Google\Chrome\User Data\Default\Extensions\inomeogfingihgjfjlpeplalcfajhgai

Interesting files in there is the Manifest (shows the permissions it requires, update URL and if persistence is maintained in the background. 

Supporting Someone Else

So this actually leaves nothing extra on the machine. No event log, no nothing. So short of the extension folder mentioned above, no one ever need know you helped Grandma install Discord on her machine. 

Getting Support from Someone

So from a company security perspective this is the biggest concern. The classic 'oh no you have been infected but don't worry we can help' perspective. Luckily there are quite a few artifacts on the machine as it requires the installation of an app "remote_assistance_host.exe". We can see the artifacts for that installation below.

Application Installation

[CreateProcess] chrome.exe:640 > "%WinDir%\System32\msiexec.exe /i %UserProfile%\Downloads\chromeremotedesktophost.msi " [Child PID: 3488]
[CreateProcess] chrome.exe:640 > "%WinDir%\system32\cmd.exe /d /c %ProgramFiles% (x86)\Google\Chrome Remote Desktop\80.0.3987.18\remote_assistance_host.exe chrome-extension://inomeogfingihgjfjlpeplalcfajhgai/ --parent-window=0 < \\.\pipe\chrome.nativeMessaging.in.34f43c3acaccb19b > \\.\pipe\chrome.nativeMessaging.out.34f43c3acaccb19b" [Child PID: 3840]
[CreateProcess] cmd.exe:3840 > "%ProgramFiles% (x86)\Google\Chrome Remote Desktop\80.0.3987.18\remote_assistance_host.exe  chrome-extension://inomeogfingihgjfjlpeplalcfajhgai/ --parent-window=0 " [Child PID: 3660]

We can also see some artifacts in Chrome's Cache, which you can view with Chrome Cache View. I won't post all them individually, but here are the main directories:

%LocalAppData%\Google\Chrome\User Data\Default\Cache\
%LocalAppData%\Google\Chrome\User Data\Default\Code Cache\js\
%LocalAppData%\Google\Chrome\User Data\Default\Service Worker\ScriptCache\

We get some processes being created if you can analyse memory or using something that records processes (sysmon for example).

We of course see the downloaded file and then the directory the installer creates files to as well.

[CreateFile] chrome.exe:640 > %UserProfile%\Downloads\chromeremotedesktophost.msi:Zone.Identifier
CreateFile] msiexec.exe:3384 > %ProgramFiles% (x86)\Google\Chrome Remote Desktop\80.0.3987.18\com.google.chrome.remote_assistance.json
[CreateFile] msiexec.exe:3384 > %ProgramFiles% (x86)\Google\Chrome Remote Desktop\80.0.3987.18\com.google.chrome.remote_assistance-firefox.json
[CreateFile] msiexec.exe:3384 > %ProgramFiles% (x86)\Google\Chrome Remote Desktop\80.0.3987.18\com.google.chrome.remote_desktop.json
[CreateFile] msiexec.exe:3384 > %ProgramFiles% (x86)\Google\Chrome Remote Desktop\80.0.3987.18\com.google.chrome.remote_desktop-firefox.json
[CreateFile] msiexec.exe:3384 > %ProgramFiles% (x86)\Google\Chrome Remote Desktop\80.0.3987.18\CREDITS.txt
[CreateFile] msiexec.exe:3384 > %ProgramFiles% (x86)\Google\Chrome Remote Desktop\80.0.3987.18\icudtl.dat
[CreateFile] msiexec.exe:3384 > %ProgramFiles% (x86)\Google\Chrome Remote Desktop\80.0.3987.18\remote_assistance_host.exe
[CreateFile] msiexec.exe:3384 > %ProgramFiles% (x86)\Google\Chrome Remote Desktop\80.0.3987.18\remote_assistance_host_uiaccess.exe
[CreateFile] msiexec.exe:3384 > %ProgramFiles% (x86)\Google\Chrome Remote Desktop\80.0.3987.18\remote_security_key.exe
[CreateFile] msiexec.exe:3384 > %ProgramFiles% (x86)\Google\Chrome Remote Desktop\80.0.3987.18\remoting_core.dll
[CreateFile] msiexec.exe:3384 > %ProgramFiles% (x86)\Google\Chrome Remote Desktop\80.0.3987.18\remoting_desktop.exe
[CreateFile] msiexec.exe:3384 > %ProgramFiles% (x86)\Google\Chrome Remote Desktop\80.0.3987.18\remoting_host.exe
[CreateFile] msiexec.exe:3384 > %ProgramFiles% (x86)\Google\Chrome Remote Desktop\80.0.3987.18\remoting_native_messaging_host.exe
[CreateFile] msiexec.exe:3384 > %ProgramFiles% (x86)\Google\Chrome Remote Desktop\80.0.3987.18\remoting_start_host.exe

Noriben also includes the SHA256 hash of files that remain on the system, I just removed them for brevity.

Registry wise? Again I am not going to post all of it... but just the more interesting ones:

[RegSetValue] HKCU\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings\inomeogfingihgjfjlpeplalcfajhgai
[RegSetValue] msiexec.exe:3384 > HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1BB08B8A5BA044458B5F7864D70CB325\E86980FE7E7FAE34591BE1A8CCC84C95  =  C:\Program Files (x86)\Google\Chrome Remote Desktop\80.0.3987.18\remoting_desktop.exe
[RegSetValue] msiexec.exe:3384 > HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D6AD99F700F304754934540B22A40CA4\E86980FE7E7FAE34591BE1A8CCC84C95  =  C:\Program Files (x86)\Google\Chrome Remote Desktop\80.0.3987.18\remote_assistance_host.exe
[RegSetValue] msiexec.exe:3384 > HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\053AAB5936FDC525BB55C1B17DE6090C\E86980FE7E7FAE34591BE1A8CCC84C95  =  C:\Program Files (x86)\Google\Chrome Remote Desktop\80.0.3987.18\remoting_host.exe

We can also see it fiddling with the Windows Firewall:

[RegSetValue] svchost.exe:1292 > HKLM\System\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{169CC2AF-5D74-45AF-8DC4-1291D5F0564F}  =  v2.10|Action=Allow|Active=TRUE|Dir=In|App=C:\Program Files (x86)\Google\Chrome Remote Desktop\80.0.3987.18\remoting_host.exe|Name=Chrome Remote Desktop Host|Edge=TRUE|

And then creating itself as a service requiring a manual start (you have to click it in chrome to start):

[RegSetValue] services.exe:504 > HKLM\System\CurrentControlSet\services\chromoting\Type  =  16
[RegSetValue] services.exe:504 > HKLM\System\CurrentControlSet\services\chromoting\Start  =  3
[RegSetValue] services.exe:504 > HKLM\System\CurrentControlSet\services\chromoting\ErrorControl  =  0
[RegSetValue] services.exe:504 > HKLM\System\CurrentControlSet\services\chromoting\ImagePath  =  C:\Program Files (x86)\Google\Chrome Remote Desktop\80.0.3987.18\remoting_host.exe" --type=daemon --host-config="C:\ProgramData\Google\Chrome Remote Desktop\host.json

Screenshot%2B2020-03-24%2Bat%2B22.06.43.pngYou then finally can see this nice little message in your Application log:

Source: MSI Installer
Event Id 1040: Beginning Windows Installer Transaction
Event Id 1042: Ending a Windows Installer Transaction
Event Id 11707: Installation Completed Successfully

Event Id 1033: Windows Installer Installed the Product



If you enable the extension/application you also see this. Included is the account used to start the application:

Source: Chromoting
    Event Id 5: Host starting (being able to accept/start connections)

Actually Getting Help (Finally!)

You would think at this point we are done, there is no possible way there is more... BUT WAIT THERE IS MORE! We haven't even started getting help yet! So let's go through that:

[CreateProcess] chrome.exe:640 > "%WinDir%\system32\cmd.exe /d /c %ProgramFiles% (x86)\Google\Chrome Remote Desktop\80.0.3987.18\remote_assistance_host.exe chrome-extension://inomeogfingihgjfjlpeplalcfajhgai/ --parent-window=0 < \\.\pipe\chrome.nativeMessaging.in.463264fcfbc0a449 > \\.\pipe\chrome.nativeMessaging.out.463264fcfbc0a449" [Child PID: 2920]
[CreateProcess] cmd.exe:2920 > "%ProgramFiles% (x86)\Google\Chrome Remote Desktop\80.0.3987.18\remote_assistance_host.exe  chrome-extension://inomeogfingihgjfjlpeplalcfajhgai/ --parent-window=0 " [Child PID: 3376]
[CreateProcess] remote_assistance_host.exe:3376 > "%ProgramFiles% (x86)\Google\Chrome Remote Desktop\80.0.3987.18\remoting_host.exe --type=evaluate_capability --evaluate-type=d3d-support" [Child PID: 1848]
...

We also have activity in the Application event logs which is very helpful. In it you can see
the account that has remoted into your machine (which can be helpful but let's face it, in a malware case it will be a throw away)

Source: Chromoting
    Event Id 1/2: Remote Session starting/ending 

eventID1.png


What this post is long-windedly trying to say is extensions can do a lot. Sometimes it's good to have a poke around your environment and see what extensions your users have on their machines (they run in the context of the user so no admin rights needed most of the time! It's also good to search for artifacts of these extensions in case you don't have the ability to easily search across your network.


A final fun thing: This is me using Chrome Remote Desktop on my VM -- it caused an inception loop. Trippy :)



Дата: 2020-03-25 14:27:03

Источник: http://sketchymoose.blogspot.com/2020/03/a-study-of-chrome-remote-desktop_25.html