Skip to content

move78ai/Rogue-AI-Extension-Hunting

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
Elastic
Elastic
 
 
IOCs
IOCs
 
 
Sentinel
Sentinel
 
 
Splunk
Splunk
 
 
README.md
README.md
 
 

Repository files navigation

Rogue-AI-Extension-Hunting

github

Hunting Rogue AI Extensions:

Detection Engineering is a tactical function of a cybersecurity defense program that involves the design, implementation, and operation of detective controls with the goal of proactively identifying malicious or unauthorized activity. This repository provides SIEM threat hunting queries (Splunk, Sentinel, Elastic) to detect rogue browser extensions and info-stealers.

Overview:

These rogue extensions often bypass MFA by stealing session cookies directly from the browser's local storage and scraping Document Object Model (DOM) data. They typically exfiltrate this data to attacker-controlled C2 servers like chatsaigpt.com and deepaichats.com every 30 minutes.

Repository Structure

• Splunk: SPL queries for tracking Sysmon Event Code 11 drops, anomalous logins, and data exfiltration.

• Sentinel: KQL queries targeting DeviceFileEvents to detect malicious .crx extension drops.

• Elastic: EQL sequence rules correlating .crx file creations with C2 beaconing.

• IOCs: Cryptographic extension IDs and known exfiltration domains for ingestion into your threat intelligence platforms.

About

Comprehensive SIEM threat hunting queries (Splunk SPL, Sentinel KQL, Elastic EQL) to detect rogue AI browser extensions and infostealers. Protect your environment against fake AI sidebars, DOM scraping, session token theft, and unauthorized data exfiltration.

Topics

splunk incident-response threat-hunting siem elastic browser-security kql detection-engineering infostealers

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors