Hi,
I have a Chrome extension making an outbound call to an external website. When I use EnCase to preview processes running, I can only see Chrome.exe. Then I navigate to C\Users\MyName\AppData\Local\Google\Chrome\User Data\Default\Extensions and I have a few folders.
I would like to know how can I know which Google extension is running that made the call to an external website?
What other places do I need to check to corelate the information to conclude that it's a particular extension that is "malicious".
Thank you.
Maybe span the port and analyze the traffic with Wireshark to determine what service is being called? I am sure there is a way to get at this on the box, but being a 'network guy' every problem looks like a network one to me….
If you have access to the machine, netstat -ano will list all connections along with the PID. Find the one you are interested in and note the PID. Then open up chrome task manager, which will show you each extension and the PID it is running under.