{"id":24842393,"url":"https://github.com/arsolutioner/ExtensionHound","last_synced_at":"2025-10-14T15:30:19.151Z","repository":{"id":274381641,"uuid":"922723505","full_name":"arsolutioner/ExtensionHound","owner":"arsolutioner","description":"A security analysis tool that identifies DNS queries made by browser extensions, empowering security teams to detect and investigate suspicious activities.","archived":false,"fork":false,"pushed_at":"2025-02-09T07:59:34.000Z","size":142,"stargazers_count":124,"open_issues_count":0,"forks_count":9,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-02-09T08:25:40.600Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/arsolutioner.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2025-01-26T23:24:01.000Z","updated_at":"2025-02-09T08:21:09.000Z","dependencies_parsed_at":"2025-02-09T08:33:04.932Z","dependency_job_id":null,"html_url":"https://github.com/arsolutioner/ExtensionHound","commit_stats":null,"previous_names":["arsolutioner/extentionhound","arsolutioner/extensionhound"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/arsolutioner/ExtensionHound","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/arsolutioner%2FExtensionHound","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/arsolutioner%2FExtensionHound/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/arsolutioner%2FExtensionHound/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/arsolutioner%2FExtensionHound/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/arsolutioner","download_url":"https://codeload.github.com/arsolutioner/ExtensionHound/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/arsolutioner%2FExtensionHound/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":279019321,"owners_count":26086711,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-14T02:00:06.444Z","response_time":60,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-01-31T08:01:48.691Z","updated_at":"2025-10-14T15:30:19.145Z","avatar_url":"https://github.com/arsolutioner.png","language":"Python","funding_links":[],"categories":["Other Lists"],"sub_categories":["🛡️ DFIR:"],"readme":"\u003cp align=\"center\"\u003e\n  \u003cimg src=\"https://github.com/user-attachments/assets/cb493d1f-b689-466b-839d-52ef506b211e\" alt=\"Centered Image\" width=\"500\"\u003e\n\u003c/p\u003e\n\u003chr /\u003e\n\n![2025012701061-ezgif com-video-to-gif-converter](https://github.com/user-attachments/assets/7b6b0073-8856-4e44-bd3a-dab4ecebda3b)\n\n## The Challenge: Chrome Extension DNS Forensics\n\nAs a security investigator, you've encountered a common frustration: Chrome extensions making suspicious DNS requests, but they're nearly impossible to trace back to their source. Why? Because all DNS requests appear to come from the chrome process, making it extremely difficult to determine which extension is responsible for what network activity.\n\nTraditional network monitoring tools show:\n```\nProcess: chrome.exe\nDNS Query: suspicious-domain.com\n```\nBut which extension made that request? The trail goes cold... until now.\n\nExtensionHound is purpose-built to solve this forensic challenge by:\n1. Analyzing Chrome's internal network state\n2. Correlating DNS requests with specific extensions\n3. Revealing the hidden connections between extensions and their network activities\n\n\n## What ExtensionHound Does\n\nExtensionHound is a powerful forensic tool that breaks through the chrome process attribution barrier, allowing you to:\n- 🔍 Scans Chrome profiles for extension DNS request history\n- 📊 Provides detailed analysis of network connections\n- 🌐 Optional VirusTotal integration for domain reputation checking\n- 🔐 Optional Secure Annex integration for extension details (users, rating,Yara pattern matching)\n- 📁 Multiple output formats (Console, CSV, JSON)\n- 🖥️ Cross-platform support (Windows, macOS, Linux)\n\n## Installation\n\n1. Clone the repository:\n```bash\ngit clone https://github.com/arsolutioner/ExtensionHound.git\ncd ExtensionHound\n```\n\n2. Create and activate a virtual environment (recommended):\n```bash\npython -m venv venv\nsource venv/bin/activate  # On Windows, use: venv\\Scripts\\activate\n```\n\n3. Install required packages:\n```bash\npip install -r requirements.txt\n```\n\n4. Set up API integrations (optional):\n   - Create a `.env` file in the project root\n   - Add your API keys:\n     ```\n     # VirusTotal API Key for domain reputation checks\n     VT_API_KEY=your_virustotal_api_key_here\n     \n     # Secure Annex API Key for extension details\n     SECUREANNEX_API_KEY=your_secureannex_api_key_here\n     \n     # Rate limit for API calls (per minute)\n     RATE_LIMIT_PER_MINUTE=4\n     ```\n\n## Usage\n\nCommon flags:\n- `--chrome-dir PATH`: Specify custom Chrome directory\n- `--vt`: Enable VirusTotal domain checking\n- `--secure-annex`: Enable Secure Annex extension details\n- `--output FORMAT`: Choose output format (csv/json)\n- `--output-file PATH`: Specify output file path\n\n## Usage Examples\n\nHere are some practical examples of how to use ExtensionHound:\n\n### Run a basic scan and save results to csv\n```bash\npython ExtensionHound.py --output csv --output-file audit_results.csv\n```\n\n### Run a full analysis with both VirusTotal and Secure Annex\n```bash\npython ExtensionHound.py --vt --secure-annex --output json --output-file \"audits/$(date +%Y-%m-%d)_security_report.json\"\n```\n\n### Run Offline For Profile-Specific Analysis\n```bash\n# Analyze a specific Chrome profile\npython ExtensionHound.py --chrome-dir \"/path/to/Chrome User Data/Profile 1\"\n\n# Deep dive into the Default profile with all features enabled\npython ExtensionHound.py --chrome-dir \"/path/to/Chrome User Data/Default\" --vt --secure-annex\n```\n\n## Features\n\n### VirusTotal Integration\n- Checks domain reputation against VirusTotal's database\n- Shows detection ratios with severity indicators:\n  - ✅ Clean (0 detections)\n  - ⚠️ Low Risk (1-2 detections)\n  - 🚨 Medium Risk (3-9 detections)\n  - ⛔ High Risk (10+ detections)\n\n### Secure Annex Integration\n- Retrieves detailed information about Chrome extensions:\n  - Extension name and developer\n  - Number of active users\n  - Extension rating\n  - Helps identify potentially malicious or suspicious extensions\n- YARA Rules Integration\n  - Uses YARA rules for advanced extension signature detection\n  - Identifies potentially malicious extensions based on code patterns\n  - Helps detect known malicious behaviors and techniques\n  \n## Contact \u0026 Support\n\n- 💼 LinkedIn: [Amram Englander](https://www.linkedin.com/in/amram-englander-a23a6a89/)\n- 📧 Secure Email: amrameng@proton.me\n- 🛡️ For urgent security assistance or consultation, feel free to reach out via ProtonMail or LinkedIn\n\n## Contributing\n\nContributions are welcome! Please feel free to submit a Pull Request.\n\n## License\n\nThis project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Farsolutioner%2FExtensionHound","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Farsolutioner%2FExtensionHound","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Farsolutioner%2FExtensionHound/lists"}