Wednesday, June 19, 2024

Progressive Web Apps (PWA) on Windows - forensics and detection of use

Introduction

Progressive Web app (PWA) is just a webapp that can be installed as an app on a system and runs in a browser when you open it from desktop or other places. Links under resources have more details/specifics. 


While on twitter, I saw a tweet from mr.d0x (who does great research and runs many useful projects) about using PWA for phishing.

Essentially, the user is made to install PWA app, once they install the app, the app pops up with phishing page. Since the attacker made the app, the attacker can control what the app UI looks like. In the phishing attack, the app has phishing page with URL bar deceptively showing official MS login URL. 

https://mrd0x.com/progressive-web-apps-pwa-phishing/


As someone who does blue team as a job 😢, I was thinking about how I'd go find PWA's being used in my environment. 

I'd like to start by looking at logs, such as process execution logs or file write logs, then start looking for what other artifacts are generated on disk, if logs aren't available and forensics being done. 

PWAs can be installed with multiple browsers. I will just focus on Chrome for now but research can be replicated with other browsers. 


Analysis

Since I don't have PWA app of my own to mess with, I just Googled for demo apps that I can try in a lab environment and Microsoft has a dedicated page for some demo apps. 

I loaded up one of the demo apps in Anyrun and Triage. The sandboxes provide enough info to then figure out what you'd look for in logs or on disk. 


App: https://microsoftedge.github.io/Demos/pwamp/

Reports:

https://app.any.run/tasks/6467ee70-96d3-41dd-8094-c1ec77ac4baa

https://tria.ge/240619-21m3lszgll/behavioral1


Initially, once the app is installed, the app opens up in a new window. There doesn't seem to be any specific process execution activity. 


A shortcut file is written to the Desktop for the app. 


Shortcut link opens the PWA in a very specific way, which is nice. With Chrome, chrome_proxy process is opened with --app-id and specific app id. 


That's not all, there is a secondary process spawned by Chrome_proxy. It's chrome, but with shortcut link file name and app id. 



There are also registry changes that happen around the installation process, specifically, Anyrun highlights creation of uninstallation entry. 

The uninstallation entry located at HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\9A3477235286E8A16E2ECE78681F58F7 contains the following:

link to icon file - C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_gpkmcolhnceikobakadkpfhphmboeeog\PWAmp music player.ico

uninstall string - "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory=Default --uninstall-app-id=gpkmcolhnceikobakadkpfhphmboeeog

Version

App display name - PWAMP MUSIC PLAYER

Install date

Publisher - GOOGLE\CHROME 



That's not all, there are more interesting registry changes that happen.

Location: HKEY_CLASSES_ROOT\Chrome.2257410145\Application & HKEY_CLASSES_ROOT\Chrome.1969634003\Application have more info about the app:

Chrome also makes some folders/files for the app.


Chrome makes app info available as well.



Chrome app service internals page has even more details


Preferences file in C:\Users\user\AppData\Local\Google\Chrome\User Data also has info about the app and the exact link. 


Logs

Process execution logs - 4688 or sysmon event id 1 should show the use of PWA apps. Execution of chrome_proxy and chrome with some of the parameters/args shown in the examples above is what I'd look for. 

File write - There are multiple file write events. Easiest things to look for is lnk file in Chrome Apps folder and creation of files in Web Applications folder in "AppData\Local\Google\Chrome\User Data\Default". 

You could look at .lnk file creation on Desktop by Chrome process too.

Registry changes - Sysmon has multiple events related to registry operations. Looking for uninstall entry and Chrome app creation like "HKEY_CLASSES_ROOT\Chrome.2257410145\Application" could be interesting.


File system/registry artifacts

If you don't have logs but still have disk access to do forensics, it should be pretty easy to grab and parse registry files to find the PWA app info in locations listed above. Same goes for files and folders created during PWA app installation. 

Chrome and Windows keeps timestamp info regarding installation in the logs/registry too which can be helpful in determining timeline.

As mentioned above, Preferences file has useful info as well.

Reviewing App_* files in C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions\ might be useful too. 


Conclusion

PWA apps are legitimately used by many orgs and hunting across the env. or doing forensics won't always lead to anything interesting. 


I haven't done too much research but as far as I know, I haven't seen threat actors abuse PWA and I'm not sure if any will start.


There are for sure more spots where artifacts of PWA use can be found (storage, logs, sqlite files, etc) that I didn't find/dive into. Also, it's possible each browser behaves differently. 


Resources

https://en.wikipedia.org/wiki/Progressive_web_app

https://developer.mozilla.org/en-US/docs/Web/Progressive_web_apps

https://mrd0x.com/progressive-web-apps-pwa-phishing/

https://blog.nviso.eu/2020/01/16/deep-dive-into-the-security-of-progressive-web-apps/

https://learn.microsoft.com/en-us/microsoft-edge/progressive-web-apps-chromium/demo-pwas