rule M_Hunting_Extension_Manifest_Permissions_1 {
	meta:
		author = "Mandiant"
		description = "Hunting for extension manifests with permissions."
		md5 = "b4a020208821c7e5bf99f8e3367897ba"
	strings:
		$a1 = /"manifest_version"\s*:\s*/
		$a2 = /"name"\s*:\s*/
		$a3 = /"version"\s*:\s*/
		$anchor = /"permissions"\s*:\s*/
		$s1 = /"author"\s*:\s*/
		$s2 = /"automation"\s*:\s*/
		$s3 = /"background"\s*:\s*/
		$s4 = /"chrome_settings_overrides"\s*:\s*/
		$s5 = /"chrome_url_overrides"\s*:\s*/
		$s6 = /"commands"\s*:\s*/
		$s7 = /"content_scripts"\s*:\s*/
		$s8 = /"content_security_policy"\s*:\s*/
		$s9 = /"cross_origin_embedder_policy"\s*:\s*/
		$s10 = /"cross_origin_opener_policy"\s*:\s*/
		$s11 = /"declarative_net_request"\s*:\s*/
		$s12 = /"devtools_page"\s*:\s*/
		$s13 = /"event_rules"\s*:\s*/
		$s14 = /"export"\s*:\s*/
		$s15 = /"externally_connectable"\s*:\s*/
		$s16 = /"file_browser_handlers"\s*:\s*/
		$s17 = /"file_system_provider_capabilities"\s*:\s*/
		$s18 = /"homepage_url"\s*:\s*/
		$s19 = /"host_permissions"\s*:\s*/
		$s20 = /"import"\s*:\s*/
		$s21 = /"incognito"\s*:\s*/
		$s22 = /"input_components"\s*:\s*/
		$s23 = /"key"\s*:\s*/
		$s24 = /"minimum_chrome_version"\s*:\s*/
		$s25 = /"oauth2"\s*:\s*/
		$s26 = /"omnibox"\s*:\s*/
		$s27 = /"optional_host_permissions"\s*:\s*/
		$s28 = /"optional_permissions"\s*:\s*/
		$s29 = /"options_page"\s*:\s*/
		$s30 = /"options_ui"\s*:\s*/
		$s32 = /"requirements"\s*:\s*/
		$s33 = /"sandbox"\s*:\s*/
		$s34 = /"short_name"\s*:\s*/
		$s35 = /"storage"\s*:\s*/
		$s36 = /"tts_engine"\s*:\s*/
		$s37 = /"update_url"\s*:\s*/
		$s38 = /"version_name"\s*:\s*/
		$s39 = /"web_accessible_resources"\s*:\s*/
		$s40 = /"action"\s*:\s*"/
		$s41 = /"default_locale"\s*:\s*"/
		$s42 = /"description"\s*:\s*"/
		$s43 = /"icons"\s*:\s*"/
	condition:
		filesize < 10KB and $anchor and (all of ($a*)) and (1 of ($s*))
}