T1176

Software Extensions

Adversaries may abuse software extensions to establish persistent access to victim systems. Software extensions are modular components that enhance or customize the functionality of software applications, including web browsers, Integrated Development Environments (IDEs), and other platforms. Extensions are typically installed via official marketplaces or manually loaded, and they often inherit the permissions and access levels of the host application. Malicious extensions can be introduced through social engineering, compromised marketplaces, or direct installation by adversaries who have already gained system access. Detection is challenging due to the inherent trust placed in extensions and their ability to blend into normal application workflows.

Microsoft Sentinel / Defender

kusto

let BrowserExtPaths = dynamic([
  "\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\",
  "\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Extensions\\",
  "\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\",
  "\\AppData\\Local\\BraveSoftware\\Brave-Browser\\User Data\\Default\\Extensions\\"
]);
let IDEExtPaths = dynamic([
  "\\.vscode\\extensions\\",
  "\\AppData\\Roaming\\Code\\extensions\\",
  "\\.vscode-server\\extensions\\"
]);
let SuspiciousExtCommands = dynamic([
  "--load-extension",
  "--packed-extension",
  "--allow-outdated-plugins",
  "code --install-extension",
  "code-insiders --install-extension",
  ".crx",
  ".xpi",
  ".vsix"
]);
let LegitBrowserProcs = dynamic(["chrome.exe", "msedge.exe", "firefox.exe", "brave.exe", "opera.exe", "iexplore.exe"]);
let LegitIDEProcs = dynamic(["Code.exe", "code", "Code - Insiders.exe", "idea64.exe", "pycharm64.exe"]);
// Branch 1: Suspicious file writes into browser or IDE extension directories
let ExtFileCreation = DeviceFileEvents
| where Timestamp > ago(24h)
| where (FolderPath has_any (BrowserExtPaths) or FolderPath has_any (IDEExtPaths))
| where FileName endswith ".crx" or FileName endswith ".xpi" or FileName endswith ".vsix"
    or FileName =~ "manifest.json" or FileName endswith ".js" or FileName endswith ".dll"
| where InitiatingProcessFileName !in~ (LegitBrowserProcs)
    and InitiatingProcessFileName !in~ (LegitIDEProcs)
    and InitiatingProcessFileName !in~ ("chrome_updater.exe", "MicrosoftEdgeUpdate.exe", "GoogleUpdate.exe")
| extend DetectionType = "SuspiciousExtensionFileWrite"
| project Timestamp, DeviceName, AccountName, FolderPath, FileName,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Branch 2: Registry-based forced extension installation
let ExtRegistryMod = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has "ExtensionInstallForcelist"
    or RegistryKey has "ExtensionInstallAllowlist"
    or (RegistryKey has "\\Extensions\\" and RegistryKey has_any ("\\Chrome\\", "\\Edge\\", "\\Chromium\\"))
    or RegistryKey has "ExtensionInstallBlacklist"
| extend DetectionType = "ExtensionRegistryForceInstall"
| project Timestamp, DeviceName, AccountName, RegistryKey, RegistryValueName, RegistryValueData,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Branch 3: Command-line extension installation or loading
let ExtCmdInstall = DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (SuspiciousExtCommands)
    or (ProcessCommandLine has "--load-extension" and InitiatingProcessFileName !in~ (LegitBrowserProcs))
    or (ProcessCommandLine has ".vsix" and ProcessCommandLine has_any ("install", "--install-extension"))
| extend DetectionType = "ExtensionCLIInstall"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
ExtFileCreation
| union ExtRegistryMod
| union ExtCmdInstall
| sort by Timestamp desc

medium severity medium confidence

Data Sources

File: File Creation Windows Registry: Windows Registry Key Modification Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceFileEvents DeviceRegistryEvents DeviceProcessEvents

False Positives

Enterprise IT software packaging tools (SCCM, Intune) that deploy browser extensions as part of managed device configuration
Developer workstations where engineers legitimately install unpacked or sideloaded extensions using --load-extension for development and testing purposes
Security tools or browser management platforms (e.g., Ivanti, Workspace ONE) that configure forced extension installs via Group Policy or registry for enterprise DLP or SSO extensions
Automated build pipelines that install VSCode extensions as part of developer environment bootstrapping scripts
Legitimate extension marketplace update mechanisms that briefly trigger file writes to extension directories under unusual parent processes during background update checks

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational")
(
  (EventCode=11
    (
      TargetFilename="*\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\*"
      OR TargetFilename="*\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Extensions\\*"
      OR TargetFilename="*\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*\\extensions\\*"
      OR TargetFilename="*\\.vscode\\extensions\\*"
      OR TargetFilename="*\\AppData\\Roaming\\Code\\extensions\\*"
    )
    (
      TargetFilename="*.crx" OR TargetFilename="*.xpi" OR TargetFilename="*.vsix"
      OR TargetFilename="*manifest.json" OR TargetFilename="*.js"
    )
    NOT (Image="*\\chrome.exe" OR Image="*\\msedge.exe" OR Image="*\\firefox.exe"
         OR Image="*\\Code.exe" OR Image="*\\brave.exe" OR Image="*\\opera.exe"
         OR Image="*\\MicrosoftEdgeUpdate.exe" OR Image="*\\GoogleUpdate.exe")
  )
  OR
  (EventCode IN (12,13,14)
    (
      TargetObject="*ExtensionInstallForcelist*"
      OR TargetObject="*ExtensionInstallAllowlist*"
      OR TargetObject="*ExtensionInstallBlacklist*"
      OR (TargetObject="*\\Extensions\\*"
          AND (TargetObject="*\\Chrome\\*" OR TargetObject="*\\Edge\\*" OR TargetObject="*\\Chromium\\*"))
    )
  )
  OR
  (EventCode=1
    (
      CommandLine="*--load-extension*"
      OR CommandLine="*--packed-extension*"
      OR CommandLine="*code --install-extension*"
      OR CommandLine="*code-insiders --install-extension*"
      OR (CommandLine="*.crx*" AND (CommandLine="*chrome*" OR CommandLine="*edge*" OR CommandLine="*brave*"))
      OR (CommandLine="*.vsix*" AND CommandLine="*install*")
    )
  )
)
| eval DetectionType=case(
    EventCode=11, "SuspiciousExtensionFileWrite",
    EventCode IN (12,13,14), "ExtensionRegistryForceInstall",
    EventCode=1, "ExtensionCLIInstall",
    true(), "Unknown")
| eval ArtifactPath=coalesce(TargetFilename, TargetObject, CommandLine)
| eval User=coalesce(User, "Unknown")
| table _time, host, User, Image, CommandLine, ArtifactPath, DetectionType, EventCode
| sort - _time

medium severity medium confidence

Data Sources

File: File Creation Windows Registry: Windows Registry Key Modification Process: Process Creation Sysmon Event ID 1 Sysmon Event ID 11 Sysmon Event ID 12/13/14

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Enterprise software management tools (SCCM, Intune, Workspace ONE) deploying browser extensions via Group Policy or registry-based forced install lists
Developer workstations with legitimate --load-extension usage during extension development, testing, and debugging workflows
Security products or SSO agents that manage browser extensions programmatically (e.g., Zscaler, Netskope browser extensions deployed via MDM)
Automated developer environment setup scripts that install VSCode extensions as part of onboarding or CI/CD bootstrap sequences
Browser update processes that transiently write to extension directories during version upgrades, triggering file creation events under unexpected parent processes

Elastic Security (EQL)

eql

any where
  (
    event.category == "file" and event.type in ("creation", "change") and
    (
      file.path : ("*\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\*",
                    "*\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Extensions\\*",
                    "*\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*\\extensions\\*",
                    "*\\.vscode\\extensions\\*",
                    "*\\AppData\\Roaming\\Code\\extensions\\*")
    ) and
    (file.extension in ("crx", "xpi", "vsix", "js") or file.name == "manifest.json") and
    not process.name in~ ("chrome.exe", "msedge.exe", "firefox.exe", "brave.exe", "opera.exe",
                           "Code.exe", "MicrosoftEdgeUpdate.exe", "GoogleUpdate.exe", "chrome_updater.exe")
  )
  or
  (
    event.category == "registry" and
    (
      registry.path : ("*ExtensionInstallForcelist*", "*ExtensionInstallAllowlist*", "*ExtensionInstallBlacklist*") or
      (registry.path : "*\\Extensions\\*" and
       registry.path : ("*\\Chrome\\*", "*\\Edge\\*", "*\\Chromium\\*"))
    )
  )
  or
  (
    event.category == "process" and event.type == "start" and
    (
      process.command_line : ("*--load-extension*", "*--packed-extension*", "*--allow-outdated-plugins*",
                              "*code --install-extension*", "*code-insiders --install-extension*") or
      (process.command_line : "*.vsix*" and process.command_line : "*install*") or
      (process.command_line : "*.crx*" and
       process.command_line : ("*chrome*", "*edge*", "*brave*"))
    )
  )

high severity medium confidence

Data Sources

Elastic Defend endpoint agent Elastic Agent with Windows integration Filebeat with Sysmon module

Required Tables

logs-endpoint.events.file-* logs-endpoint.events.registry-* logs-endpoint.events.process-* logs-windows.sysmon_operational-*

False Positives

IT administrators using group policy (GPO) to deploy approved browser extensions via ExtensionInstallForcelist will trigger the registry branch on managed endpoints
Developers installing VS Code extensions with 'code --install-extension' or loading unpacked Chrome extensions with --load-extension during development and testing workflows
Browser and IDE auto-update mechanisms may write extension files to disk using background updater processes not listed in the allowlist, especially third-party browser variants

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(startTime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  "username" AS Username,
  "HostName" AS Hostname,
  "Image" AS ProcessImage,
  "CommandLine" AS CommandLine,
  COALESCE("TargetFilename", "TargetObject", "CommandLine") AS ArtifactPath,
  CASE
    WHEN "EventID" = '11' THEN 'SuspiciousExtensionFileWrite'
    WHEN "EventID" IN ('12','13','14') THEN 'ExtensionRegistryForceInstall'
    WHEN "EventID" = '1' THEN 'ExtensionCLIInstall'
    ELSE 'Unknown'
  END AS DetectionType
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND (
    (
      "EventID" = '11'
      AND (
        "TargetFilename" ILIKE '%AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\%'
        OR "TargetFilename" ILIKE '%AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Extensions\\%'
        OR "TargetFilename" ILIKE '%AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\%\\extensions\\%'
        OR "TargetFilename" ILIKE '%\\.vscode\\extensions\\%'
        OR "TargetFilename" ILIKE '%AppData\\Roaming\\Code\\extensions\\%'
      )
      AND (
        "TargetFilename" ILIKE '%.crx'
        OR "TargetFilename" ILIKE '%.xpi'
        OR "TargetFilename" ILIKE '%.vsix'
        OR "TargetFilename" ILIKE '%.js'
        OR "TargetFilename" ILIKE '%manifest.json'
      )
      AND NOT (
        "Image" ILIKE '%\\chrome.exe'
        OR "Image" ILIKE '%\\msedge.exe'
        OR "Image" ILIKE '%\\firefox.exe'
        OR "Image" ILIKE '%\\Code.exe'
        OR "Image" ILIKE '%\\brave.exe'
        OR "Image" ILIKE '%\\opera.exe'
        OR "Image" ILIKE '%\\MicrosoftEdgeUpdate.exe'
        OR "Image" ILIKE '%\\GoogleUpdate.exe'
      )
    )
    OR
    (
      "EventID" IN ('12','13','14')
      AND (
        "TargetObject" ILIKE '%ExtensionInstallForcelist%'
        OR "TargetObject" ILIKE '%ExtensionInstallAllowlist%'
        OR "TargetObject" ILIKE '%ExtensionInstallBlacklist%'
        OR (
          "TargetObject" ILIKE '%\\Extensions\\%'
          AND (
            "TargetObject" ILIKE '%\\Chrome\\%'
            OR "TargetObject" ILIKE '%\\Edge\\%'
            OR "TargetObject" ILIKE '%\\Chromium\\%'
          )
        )
      )
    )
    OR
    (
      "EventID" = '1'
      AND (
        "CommandLine" ILIKE '%--load-extension%'
        OR "CommandLine" ILIKE '%--packed-extension%'
        OR "CommandLine" ILIKE '%--allow-outdated-plugins%'
        OR "CommandLine" ILIKE '%code --install-extension%'
        OR "CommandLine" ILIKE '%code-insiders --install-extension%'
        OR ("CommandLine" ILIKE '%.vsix%' AND "CommandLine" ILIKE '%install%')
        OR (
          "CommandLine" ILIKE '%.crx%'
          AND ("CommandLine" ILIKE '%chrome%' OR "CommandLine" ILIKE '%edge%' OR "CommandLine" ILIKE '%brave%')
        )
      )
    )
  )
  AND startTime > NOW() - 86400000
ORDER BY startTime DESC

high severity medium confidence

Data Sources

Microsoft Windows Security Event Log log source Sysmon log source via Windows Event Forwarding or direct agent

Required Tables

events

False Positives

Enterprise MDM or endpoint management tools (Intune, SCCM, Jamf) pushing browser extensions via registry GPO settings will generate ExtensionInstallForcelist matches
DevOps engineers and QA teams running automated browser testing frameworks (Selenium, Playwright) frequently use --load-extension to load test extensions in CI pipelines
Software packaging scripts that extract and stage .crx, .xpi, or .vsix files to local directories as part of offline installation bundles will match the file write branch

Sumo Logic CSE

sql

_sourceCategory=*windows*sysmon* OR _sourceCategory=*sysmon*
| parse "<EventID>*</EventID>" as EventID nodrop
| parse "<TargetFilename>*</TargetFilename>" as TargetFilename nodrop
| parse "<TargetObject>*</TargetObject>" as TargetObject nodrop
| parse "<CommandLine>*</CommandLine>" as CommandLine nodrop
| parse "<Image>*</Image>" as Image nodrop
| parse "<Computer>*</Computer>" as Computer nodrop
| parse "<User>*</User>" as User nodrop
| where
  (
    EventID = "11"
    and (
      TargetFilename matches "*AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions*"
      or TargetFilename matches "*AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Extensions*"
      or TargetFilename matches "*AppData\\Roaming\\Mozilla\\Firefox\\Profiles*"
      or TargetFilename matches "*.vscode\\extensions*"
      or TargetFilename matches "*AppData\\Roaming\\Code\\extensions*"
    )
    and (
      TargetFilename matches "*.crx"
      or TargetFilename matches "*.xpi"
      or TargetFilename matches "*.vsix"
      or TargetFilename matches "*.js"
      or TargetFilename matches "*manifest.json"
    )
    and not (
      Image matches "*\\chrome.exe"
      or Image matches "*\\msedge.exe"
      or Image matches "*\\firefox.exe"
      or Image matches "*\\Code.exe"
      or Image matches "*\\brave.exe"
      or Image matches "*\\MicrosoftEdgeUpdate.exe"
      or Image matches "*\\GoogleUpdate.exe"
    )
  )
  or (
    EventID in ("12", "13", "14")
    and (
      TargetObject matches "*ExtensionInstallForcelist*"
      or TargetObject matches "*ExtensionInstallAllowlist*"
      or TargetObject matches "*ExtensionInstallBlacklist*"
      or (
        TargetObject matches "*\\Extensions\\*"
        and (
          TargetObject matches "*\\Chrome\\*"
          or TargetObject matches "*\\Edge\\*"
          or TargetObject matches "*\\Chromium\\*"
        )
      )
    )
  )
  or (
    EventID = "1"
    and (
      CommandLine matches "*--load-extension*"
      or CommandLine matches "*--packed-extension*"
      or CommandLine matches "*--allow-outdated-plugins*"
      or CommandLine matches "*code --install-extension*"
      or CommandLine matches "*code-insiders --install-extension*"
      or (CommandLine matches "*.vsix*" and CommandLine matches "*install*")
      or (
        CommandLine matches "*.crx*"
        and (CommandLine matches "*chrome*" or CommandLine matches "*edge*" or CommandLine matches "*brave*")
      )
    )
  )
| eval DetectionType = if(EventID = "11", "SuspiciousExtensionFileWrite",
    if(EventID in ("12", "13", "14"), "ExtensionRegistryForceInstall",
    if(EventID = "1", "ExtensionCLIInstall", "Unknown")))
| eval ArtifactPath = if(EventID = "11", TargetFilename,
    if(EventID in ("12", "13", "14"), TargetObject, CommandLine))
| fields _messageTime, Computer, User, Image, CommandLine, ArtifactPath, DetectionType, EventID
| sort by _messageTime desc

high severity medium confidence

Data Sources

Sumo Logic Installed Collector with Windows Event Log source Sysmon for Windows configured with file, registry, and process monitoring

Required Tables

Windows Sysmon Operational event log (_sourceCategory matching sysmon)

False Positives

Helpdesk teams or system administrators manually installing approved browser extensions on user machines via command-line scripting for standardized deployment
Security research or malware analysis workstations that intentionally load unpacked browser extensions or test .crx/.xpi packages as part of threat analysis workflows
Application whitelisting or endpoint management agents that legitimately read or write extension metadata files during inventory or compliance scanning operations

Google Chronicle / SecOps

yaral

rule t1176_software_extension_abuse {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1176 Software Extension abuse: suspicious file writes to browser/IDE extension directories, registry forced-install policy modification, and CLI-based extension loading or installation"
    mitre_attack_technique = "T1176"
    mitre_attack_tactic = "Persistence"
    severity = "HIGH"
    confidence = "MEDIUM"
    created = "2026-04-19"

  events:
    (
      // Branch 1: Suspicious file creation in browser or IDE extension directories
      $e.metadata.event_type = "FILE_CREATION"
      and (
        re.regex($e.target.file.full_path, `(?i)AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\`)
        or re.regex($e.target.file.full_path, `(?i)AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Extensions\\`)
        or re.regex($e.target.file.full_path, `(?i)AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\.*\\extensions\\`)
        or re.regex($e.target.file.full_path, `(?i)\.vscode\\extensions\\`)
        or re.regex($e.target.file.full_path, `(?i)AppData\\Roaming\\Code\\extensions\\`)
      )
      and (
        re.regex($e.target.file.full_path, `(?i)\.(crx|xpi|vsix|js)$`)
        or re.regex($e.target.file.full_path, `(?i)manifest\.json$`)
      )
      and not re.regex($e.principal.process.file.full_path, `(?i)(chrome\.exe|msedge\.exe|firefox\.exe|Code\.exe|brave\.exe|opera\.exe|MicrosoftEdgeUpdate\.exe|GoogleUpdate\.exe|chrome_updater\.exe)$`)
    )
    or
    (
      // Branch 2: Registry modification for forced extension installation policy
      $e.metadata.event_type = "REGISTRY_MODIFICATION"
      and (
        re.regex($e.target.registry.registry_key, `(?i)ExtensionInstallForcelist`)
        or re.regex($e.target.registry.registry_key, `(?i)ExtensionInstallAllowlist`)
        or re.regex($e.target.registry.registry_key, `(?i)ExtensionInstallBlacklist`)
        or (
          re.regex($e.target.registry.registry_key, `(?i)\\Extensions\\.`)
          and (
            re.regex($e.target.registry.registry_key, `(?i)\\Chrome\\`)
            or re.regex($e.target.registry.registry_key, `(?i)\\Edge\\`)
            or re.regex($e.target.registry.registry_key, `(?i)\\Chromium\\`)
          )
        )
      )
    )
    or
    (
      // Branch 3: CLI-based extension installation or loading
      $e.metadata.event_type = "PROCESS_LAUNCH"
      and (
        re.regex($e.target.process.command_line, `(?i)(--load-extension|--packed-extension|--allow-outdated-plugins)`)
        or re.regex($e.target.process.command_line, `(?i)code(-insiders)?\s+--install-extension`)
        or (
          re.regex($e.target.process.command_line, `(?i)\.vsix`)
          and re.regex($e.target.process.command_line, `(?i)install`)
        )
        or (
          re.regex($e.target.process.command_line, `(?i)\.crx`)
          and re.regex($e.target.process.command_line, `(?i)(chrome|edge|brave)`)
        )
      )
    )

  condition:
    $e
}

high severity medium confidence

Data Sources

Google Chronicle with Google Security Operations ingestion Windows endpoint telemetry forwarded via Chronicle forwarder Sysmon or EDR events normalized to UDM

Required Tables

UDM events (FILE_CREATION, REGISTRY_MODIFICATION, PROCESS_LAUNCH event types)

False Positives

Enterprise browser management platforms (Google Workspace Admin, Microsoft Intune) configuring ExtensionInstallForcelist via GPO on managed corporate devices will generate high-volume registry branch alerts
Developer workstations running browser automation or web scraping tools that load unpacked extensions with --load-extension as part of normal test harness execution
Extension packaging pipelines that copy built .crx or .vsix artifacts into local extension directories during build and release processes before publishing to marketplaces

CrowdStrike LogScale (CQL)

cql

#event_simpleName in ["PeFileWritten", "AsepValueUpdate", "RegKeyUpdate", "ProcessRollup2"]
| case {
    #event_simpleName = "PeFileWritten"
      | test(TargetFileName = /(?i)(AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\|AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Extensions\\|AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\.*extensions\\|\.vscode\\extensions\\|AppData\\Roaming\\Code\\extensions\\)/)
      | test(TargetFileName = /(?i)\.(crx|xpi|vsix|js)$|manifest\.json$/)
      | test(ImageFileName != /(?i)(chrome\.exe|msedge\.exe|firefox\.exe|Code\.exe|brave\.exe|opera\.exe|MicrosoftEdgeUpdate\.exe|GoogleUpdate\.exe|chrome_updater\.exe)$/)
      | DetectionType := "SuspiciousExtensionFileWrite"
      | ArtifactPath := TargetFileName ;

    #event_simpleName in ["AsepValueUpdate", "RegKeyUpdate"]
      | test(RegObjectName = /(?i)(ExtensionInstallForcelist|ExtensionInstallAllowlist|ExtensionInstallBlacklist)|(\\Extensions\\.*\\(Chrome|Edge|Chromium)\\)/)
      | DetectionType := "ExtensionRegistryForceInstall"
      | ArtifactPath := RegObjectName ;

    #event_simpleName = "ProcessRollup2"
      | test(CommandLine = /(?i)(--load-extension|--packed-extension|--allow-outdated-plugins|code(-insiders)?\s+--install-extension)|(\.crx.*chrome|\.crx.*edge|\.crx.*brave|\.vsix.*install)/)
      | DetectionType := "ExtensionCLIInstall"
      | ArtifactPath := CommandLine ;

    * | drop()
  }
| table([_time, ComputerName, UserName, ImageFileName, CommandLine, ArtifactPath, DetectionType])
| sort(field=_time, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon sensor (full EDR telemetry) Falcon Data Replicator or Humio/LogScale ingestion pipeline

Required Tables

PeFileWritten Falcon events AsepValueUpdate Falcon events RegKeyUpdate Falcon events ProcessRollup2 Falcon events

False Positives

CrowdStrike Falcon itself or other endpoint agents may write files to monitored extension paths during telemetry collection or extension enumeration scans, triggering false PeFileWritten matches
Software developers using VS Code Remote extensions or Dev Containers that automatically sync and install extensions to .vscode-server paths on remote hosts via automated tooling
Corporate browser provisioning scripts that stage pre-approved .crx packages locally and install them using Chrome command-line flags as part of a standardized onboarding image build

Last updated: 2026-04-19 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1176 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Software Extensions

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (2)

Same Tactic: Persistence

Popular Detections