List-ChromeExtensions.ps1 and List-ChromeExtensions.py

When I began investigating malicious Chrome extensions, the initial hurdle was what do these 32 letter codes mean? And how can I do this work without constantly looking them up on Google?

Thus List-ChromeExtensions was born to help with these investigations. I wrote a Powershell script for Windows and Python 2.7 for Mac. The script uses a combination of the file system, each extension's manifest.json and the Chrome Web Store to identify the name, creation time, whether it's currently in the Chrome Web Store, the description, version, user, Chrome profile, and computer. Additionally there's a parameter to pull the permissions from the manifest.json. 

Options include:

• showdefaults - Default extensions are generally not malicious, so they are not displayed by default.
• showpermissions - Lists the permissions section from the manifest.json. 
• output - Powershell outputs in JSON or table. Python only outputs in JSON. 

List-ChromeExtensions.ps1

Optional Parameters (default):

-showdefaults ($false)/$true
-showpermissions ($false)/$true (recommended with -output json for readability)
-output (table)/json

List-ChromeExtensions.py

Optional Parameters (default):

--showdefaults (False)/True
--showpermissions (False)/True

Output Attributes

• CreationTimeUTC - The folder creation time from the file system for the specific extension. This is the install time.
• Name - The title of the extension.
• Description - The description provided in the manifest.json if it exists.
• Chrome_Store - Lists whether the extension is in the Chrome Web Store or is an extension installed by default.
• Version - The version provided in the manifest.json.
• Code - The 32 letter code for the extension as seen in the extension folder.
• User - The user with the extension installed.
• Profile - The Chrome profile where the extension is installed. Typically is Default, but if more than one Chrome profile exists it will show Profile 1, Profile 2, Profile 3, etc.
• Computer - The Computer name. Helpful if you're aggregating results or storing data in a SOAR or ticketing platform.
• Permissions (optional) - The permissions listed in the manifest.json. This is what the extension is allowed to access. This is helpful when looking for potentially malicious extensions that have more permissions than they should reasonably need.

Download

Download from my Github repo: https://github.com/electronarmory/list-chromeextensions