From ba8d115e89840d98a0ce296539668354ff038677 Mon Sep 17 00:00:00 2001
From: Mark McKinnon <mark.mckinnon@davenport.edu>
Date: Wed, 9 Nov 2022 14:31:10 -0500
Subject: [PATCH] create tsk_comment for malicious extension found

create tsk_comment for malicious extension found
---
 .../autopsy/recentactivity/Chromium.java      | 28 +++++--------------
 .../malicious_chrome_extensions.csv           |  2 --
 2 files changed, 7 insertions(+), 23 deletions(-)

diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chromium.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chromium.java
index 352e23e767..17b1c58740 100644
--- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chromium.java
+++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chromium.java
@@ -107,7 +107,8 @@ class Chromium extends Extract {
     private static final String FAVICON_ARTIFACT_NAME = "TSK_FAVICON"; //NON-NLS
     private static final String LOCAL_STATE_ARTIFACT_NAME = "TSK_LOCAL_STATE"; //NON-NLS
     private static final String EXTENSIONS_ARTIFACT_NAME = "TSK_CHROME_EXTENSIONS"; //NON-NLS
-
+    private static final String MALICIOUS_EXTENSION_FOUND = "Malicious Extension Found - ";
+    
     private Boolean databaseEncrypted = false;
     private Boolean fieldEncrypted = false;
 
@@ -616,6 +617,11 @@ private void getExtensions(String browser, String browserLocation, String userNa
                 Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
                 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_ID,
                         RecentActivityExtracterModuleFactory.getModuleName(), extension));
+                if (maliciousChromeExtensions.get(extension) != null) {
+                    bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_COMMENT,
+                        RecentActivityExtracterModuleFactory.getModuleName(), 
+                        MALICIOUS_EXTENSION_FOUND + maliciousChromeExtensions.getOrDefault(extension, "No Source Identified")));
+                }
                 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME,
                         RecentActivityExtracterModuleFactory.getModuleName(), extName));
                 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DESCRIPTION,
@@ -637,26 +643,6 @@ private void getExtensions(String browser, String browserLocation, String userNa
                 } catch (TskCoreException ex) {
                     logger.log(Level.SEVERE, String.format("Failed to create Extension artifact for file (%d)", extensionFile.getId()), ex);
                 }
-                
-                 if (maliciousChromeExtensions.get(extension) != null & art != null) {
-                    bbattributes = new ArrayList<>();
-                    bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_ID,
-                        RecentActivityExtracterModuleFactory.getModuleName(), extension));
-                    bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_COMMENT,
-                        RecentActivityExtracterModuleFactory.getModuleName(), 
-                        maliciousChromeExtensions.getOrDefault(extension, "No Source Identified")));
-                    try {
-                        bbartifacts.add(art.newAnalysisResult(
-                                BlackboardArtifact.Type.TSK_INTERESTING_ITEM, Score.SCORE_NOTABLE, 
-                                null, "Malicious Chrome Extensions", null, 
-                                bbattributes)
-                                .getAnalysisResult());
-                    } catch (TskCoreException ex) {
-                        logger.log(Level.SEVERE, String.format("Failed to create Extension artifact for file (%d)", extensionFile.getId()), ex);
-                    }
- 
-                 }
-
             }
 
             if (!context.dataSourceIngestIsCancelled()) {
diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/malicious_chrome_extensions.csv b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/malicious_chrome_extensions.csv
index 401d8f5c5f..6459ce134c 100644
--- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/malicious_chrome_extensions.csv
+++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/malicious_chrome_extensions.csv
@@ -334,5 +334,3 @@ flijfnhifgdcbhglkneplegafminjnhn,"https://www.mcafee.com/blogs/other-blogs/mcafe
 gbnahglfafmhaehbdmjedfhdmimjcbed,"https://www.mcafee.com/blogs/other-blogs/mcafee-labs/malicious-cookie-stuffing-chrome-extensions-with-1-4-million-users"
 mmnbenehknklpbendgmgngeaignppnbe,"https://www.mcafee.com/blogs/other-blogs/mcafee-labs/malicious-cookie-stuffing-chrome-extensions-with-1-4-million-users"
 pojgkmkfincpdkdgjepkmdekcahmckjp,"https://www.mcafee.com/blogs/other-blogs/mcafee-labs/malicious-cookie-stuffing-chrome-extensions-with-1-4-million-users"
-dgiklkfkllikcanfonkcabmbdfmgleag,"Test Extension"
-fogppepbgmgkpdkinbojbibkhoffpief,"Test 2 Extension"
\ No newline at end of file
-- 
GitLab