I came across a funny thing while digging into discord stealers. It seems the world of discord stealers is very much in the business of cryptocurrency theft, and as a result of many crypto wallets being browser extensions, we see these class of attacks frequently looking for these browser extensions to inject malicious javascript. I’ve introduced a new set to the TGI HUNT rules to detect these browser extension ID strings in HTTP.

For example, here is 1336 stealer v3:

Browser Extension Abuse

To enumerate any new javascript inbound or identifying browser extension information outbound, I’ve introduce browser-extensions.rules available on the TGI HUNT git repo: https://github.com/travisbgreen/hunting-rules/