Which SIEM platforms have a T1176 detection rule?

df00tech provides T1176 (Software Extensions) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What severity and confidence is the T1176 detection?

The T1176 detection is rated medium severity with medium confidence.

What are common false positives for T1176?

Common false positives for T1176 include: Enterprise IT software packaging tools (SCCM, Intune) that deploy browser extensions as part of managed device configuration; Developer workstations where engineers legitimately install unpacked or sideloaded extensions using --load-extension for development and testing purposes; Security tools or browser management platforms (e.g., Ivanti, Workspace ONE) that configure forced extension installs via Group Policy or registry for enterprise DLP or SSO extensions.

T1176

Software Extensions

Q: What data sources are required to detect Software Extensions (T1176)?

Detecting Software Extensions requires the following data sources: File: File Creation, Windows Registry: Windows Registry Key Modification, Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint.

Persistence Last updated: April 19, 2026

Adversaries may abuse software extensions to establish persistent access to victim systems. Software extensions are modular components that enhance or customize the functionality of software applications, including web browsers, Integrated Development Environments (IDEs), and other platforms. Extensions are typically installed via official marketplaces or manually loaded, and they often inherit the permissions and access levels of the host application. Malicious extensions can be introduced through social engineering, compromised marketplaces, or direct installation by adversaries who have already gained system access. Detection is challenging due to the inherent trust placed in extensions and their ability to blend into normal application workflows.

What is T1176 Software Extensions?

Software Extensions (T1176) maps to the Persistence tactic — the adversary is trying to maintain their foothold in MITRE ATT&CK.

This page provides production-ready detection logic for Software Extensions, covering the data sources and telemetry it touches: File: File Creation, Windows Registry: Windows Registry Key Modification, Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint. The queries below are rated medium severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Persistence
Technique: T1176 Software Extensions
Canonical reference: https://attack.mitre.org/techniques/T1176/

Microsoft Sentinel / Defender

kusto

let BrowserExtPaths = dynamic([
  "\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\",
  "\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Extensions\\",
  "\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\",
  "\\AppData\\Local\\BraveSoftware\\Brave-Browser\\User Data\\Default\\Extensions\\"
]);
let IDEExtPaths = dynamic([
  "\\.vscode\\extensions\\",
  "\\AppData\\Roaming\\Code\\extensions\\",
  "\\.vscode-server\\extensions\\"
]);
let SuspiciousExtCommands = dynamic([
  "--load-extension",
  "--packed-extension",
  "--allow-outdated-plugins",
  "code --install-extension",
  "code-insiders --install-extension",
  ".crx",
  ".xpi",
  ".vsix"
]);
let LegitBrowserProcs = dynamic(["chrome.exe", "msedge.exe", "firefox.exe", "brave.exe", "opera.exe", "iexplore.exe"]);
let LegitIDEProcs = dynamic(["Code.exe", "code", "Code - Insiders.exe", "idea64.exe", "pycharm64.exe"]);
// Branch 1: Suspicious file writes into browser or IDE extension directories
let ExtFileCreation = DeviceFileEvents
| where Timestamp > ago(24h)
| where (FolderPath has_any (BrowserExtPaths) or FolderPath has_any (IDEExtPaths))
| where FileName endswith ".crx" or FileName endswith ".xpi" or FileName endswith ".vsix"
    or FileName =~ "manifest.json" or FileName endswith ".js" or FileName endswith ".dll"
| where InitiatingProcessFileName !in~ (LegitBrowserProcs)
    and InitiatingProcessFileName !in~ (LegitIDEProcs)
    and InitiatingProcessFileName !in~ ("chrome_updater.exe", "MicrosoftEdgeUpdate.exe", "GoogleUpdate.exe")
| extend DetectionType = "SuspiciousExtensionFileWrite"
| project Timestamp, DeviceName, AccountName, FolderPath, FileName,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Branch 2: Registry-based forced extension installation
let ExtRegistryMod = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has "ExtensionInstallForcelist"
    or RegistryKey has "ExtensionInstallAllowlist"
    or (RegistryKey has "\\Extensions\\" and RegistryKey has_any ("\\Chrome\\", "\\Edge\\", "\\Chromium\\"))
    or RegistryKey has "ExtensionInstallBlacklist"
| extend DetectionType = "ExtensionRegistryForceInstall"
| project Timestamp, DeviceName, AccountName, RegistryKey, RegistryValueName, RegistryValueData,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Branch 3: Command-line extension installation or loading
let ExtCmdInstall = DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (SuspiciousExtCommands)
    or (ProcessCommandLine has "--load-extension" and InitiatingProcessFileName !in~ (LegitBrowserProcs))
    or (ProcessCommandLine has ".vsix" and ProcessCommandLine has_any ("install", "--install-extension"))
| extend DetectionType = "ExtensionCLIInstall"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
ExtFileCreation
| union ExtRegistryMod
| union ExtCmdInstall
| sort by Timestamp desc

Detects suspicious software extension installation and modification across browsers and IDEs using Microsoft Defender for Endpoint tables. Three detection branches: (1) DeviceFileEvents monitors file writes to browser and IDE extension directories by non-browser processes, targeting .crx, .xpi, .vsix, manifest.json, and .js files; (2) DeviceRegistryEvents monitors policy-based forced extension installation via ExtensionInstallForcelist and related registry keys; (3) DeviceProcessEvents monitors command-line extension loading via --load-extension, --packed-extension, and CLI install flags. Legitimate browser/updater processes are excluded to reduce noise.

medium severity medium confidence

Data Sources

File: File Creation Windows Registry: Windows Registry Key Modification Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceFileEvents DeviceRegistryEvents DeviceProcessEvents

False Positives

Enterprise IT software packaging tools (SCCM, Intune) that deploy browser extensions as part of managed device configuration
Developer workstations where engineers legitimately install unpacked or sideloaded extensions using --load-extension for development and testing purposes
Security tools or browser management platforms (e.g., Ivanti, Workspace ONE) that configure forced extension installs via Group Policy or registry for enterprise DLP or SSO extensions
Automated build pipelines that install VSCode extensions as part of developer environment bootstrapping scripts
Legitimate extension marketplace update mechanisms that briefly trigger file writes to extension directories under unusual parent processes during background update checks

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational")
(
  (EventCode=11
    (
      TargetFilename="*\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\*"
      OR TargetFilename="*\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Extensions\\*"
      OR TargetFilename="*\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*\\extensions\\*"
      OR TargetFilename="*\\.vscode\\extensions\\*"
      OR TargetFilename="*\\AppData\\Roaming\\Code\\extensions\\*"
    )
    (
      TargetFilename="*.crx" OR TargetFilename="*.xpi" OR TargetFilename="*.vsix"
      OR TargetFilename="*manifest.json" OR TargetFilename="*.js"
    )
    NOT (Image="*\\chrome.exe" OR Image="*\\msedge.exe" OR Image="*\\firefox.exe"
         OR Image="*\\Code.exe" OR Image="*\\brave.exe" OR Image="*\\opera.exe"
         OR Image="*\\MicrosoftEdgeUpdate.exe" OR Image="*\\GoogleUpdate.exe")
  )
  OR
  (EventCode IN (12,13,14)
    (
      TargetObject="*ExtensionInstallForcelist*"
      OR TargetObject="*ExtensionInstallAllowlist*"
      OR TargetObject="*ExtensionInstallBlacklist*"
      OR (TargetObject="*\\Extensions\\*"
          AND (TargetObject="*\\Chrome\\*" OR TargetObject="*\\Edge\\*" OR TargetObject="*\\Chromium\\*"))
    )
  )
  OR
  (EventCode=1
    (
      CommandLine="*--load-extension*"
      OR CommandLine="*--packed-extension*"
      OR CommandLine="*code --install-extension*"
      OR CommandLine="*code-insiders --install-extension*"
      OR (CommandLine="*.crx*" AND (CommandLine="*chrome*" OR CommandLine="*edge*" OR CommandLine="*brave*"))
      OR (CommandLine="*.vsix*" AND CommandLine="*install*")
    )
  )
)
| eval DetectionType=case(
    EventCode=11, "SuspiciousExtensionFileWrite",
    EventCode IN (12,13,14), "ExtensionRegistryForceInstall",
    EventCode=1, "ExtensionCLIInstall",
    true(), "Unknown")
| eval ArtifactPath=coalesce(TargetFilename, TargetObject, CommandLine)
| eval User=coalesce(User, "Unknown")
| table _time, host, User, Image, CommandLine, ArtifactPath, DetectionType, EventCode
| sort - _time

Detects software extension abuse using Sysmon event logs. Three branches: Sysmon Event ID 11 (FileCreate) identifies non-browser processes writing .crx, .xpi, .vsix, manifest.json, or .js files to browser and IDE extension directories; Sysmon Event IDs 12/13/14 (RegistryEvent) detect forced extension installation via policy registry keys (ExtensionInstallForcelist, ExtensionInstallAllowlist); Sysmon Event ID 1 (ProcessCreate) captures extension loading via --load-extension, --packed-extension flags, and CLI install commands for VSCode/Chrome. Results are tagged with a DetectionType field for triage prioritization.

medium severity medium confidence

Data Sources

File: File Creation Windows Registry: Windows Registry Key Modification Process: Process Creation Sysmon Event ID 1 Sysmon Event ID 11 Sysmon Event ID 12/13/14

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Enterprise software management tools (SCCM, Intune, Workspace ONE) deploying browser extensions via Group Policy or registry-based forced install lists
Developer workstations with legitimate --load-extension usage during extension development, testing, and debugging workflows
Security products or SSO agents that manage browser extensions programmatically (e.g., Zscaler, Netskope browser extensions deployed via MDM)
Automated developer environment setup scripts that install VSCode extensions as part of onboarding or CI/CD bootstrap sequences
Browser update processes that transiently write to extension directories during version upgrades, triggering file creation events under unexpected parent processes

Elastic Security (EQL)

eql

any where
  (
    event.category == "file" and event.type in ("creation", "change") and
    (
      file.path : ("*\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\*",
                    "*\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Extensions\\*",
                    "*\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*\\extensions\\*",
                    "*\\.vscode\\extensions\\*",
                    "*\\AppData\\Roaming\\Code\\extensions\\*")
    ) and
    (file.extension in ("crx", "xpi", "vsix", "js") or file.name == "manifest.json") and
    not process.name in~ ("chrome.exe", "msedge.exe", "firefox.exe", "brave.exe", "opera.exe",
                           "Code.exe", "MicrosoftEdgeUpdate.exe", "GoogleUpdate.exe", "chrome_updater.exe")
  )
  or
  (
    event.category == "registry" and
    (
      registry.path : ("*ExtensionInstallForcelist*", "*ExtensionInstallAllowlist*", "*ExtensionInstallBlacklist*") or
      (registry.path : "*\\Extensions\\*" and
       registry.path : ("*\\Chrome\\*", "*\\Edge\\*", "*\\Chromium\\*"))
    )
  )
  or
  (
    event.category == "process" and event.type == "start" and
    (
      process.command_line : ("*--load-extension*", "*--packed-extension*", "*--allow-outdated-plugins*",
                              "*code --install-extension*", "*code-insiders --install-extension*") or
      (process.command_line : "*.vsix*" and process.command_line : "*install*") or
      (process.command_line : "*.crx*" and
       process.command_line : ("*chrome*", "*edge*", "*brave*"))
    )
  )

Detects T1176 Software Extension abuse via three branches using ECS-normalized events: (1) suspicious file writes of .crx/.xpi/.vsix/manifest.json/.js into browser or IDE extension directories by non-browser processes, (2) registry policy modifications forcing extension installation via ExtensionInstallForcelist/Allowlist/Blacklist keys, and (3) command-line invocations of --load-extension, --packed-extension, or code --install-extension arguments. Covers Chrome, Edge, Firefox, Brave, and VS Code extension paths.

high severity medium confidence

Data Sources

Elastic Defend endpoint agent Elastic Agent with Windows integration Filebeat with Sysmon module

Required Tables

logs-endpoint.events.file-* logs-endpoint.events.registry-* logs-endpoint.events.process-* logs-windows.sysmon_operational-*

False Positives

IT administrators using group policy (GPO) to deploy approved browser extensions via ExtensionInstallForcelist will trigger the registry branch on managed endpoints
Developers installing VS Code extensions with 'code --install-extension' or loading unpacked Chrome extensions with --load-extension during development and testing workflows
Browser and IDE auto-update mechanisms may write extension files to disk using background updater processes not listed in the allowlist, especially third-party browser variants

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(startTime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  "username" AS Username,
  "HostName" AS Hostname,
  "Image" AS ProcessImage,
  "CommandLine" AS CommandLine,
  COALESCE("TargetFilename", "TargetObject", "CommandLine") AS ArtifactPath,
  CASE
    WHEN "EventID" = '11' THEN 'SuspiciousExtensionFileWrite'
    WHEN "EventID" IN ('12','13','14') THEN 'ExtensionRegistryForceInstall'
    WHEN "EventID" = '1' THEN 'ExtensionCLIInstall'
    ELSE 'Unknown'
  END AS DetectionType
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND (
    (
      "EventID" = '11'
      AND (
        "TargetFilename" ILIKE '%AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\%'
        OR "TargetFilename" ILIKE '%AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Extensions\\%'
        OR "TargetFilename" ILIKE '%AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\%\\extensions\\%'
        OR "TargetFilename" ILIKE '%\\.vscode\\extensions\\%'
        OR "TargetFilename" ILIKE '%AppData\\Roaming\\Code\\extensions\\%'
      )
      AND (
        "TargetFilename" ILIKE '%.crx'
        OR "TargetFilename" ILIKE '%.xpi'
        OR "TargetFilename" ILIKE '%.vsix'
        OR "TargetFilename" ILIKE '%.js'
        OR "TargetFilename" ILIKE '%manifest.json'
      )
      AND NOT (
        "Image" ILIKE '%\\chrome.exe'
        OR "Image" ILIKE '%\\msedge.exe'
        OR "Image" ILIKE '%\\firefox.exe'
        OR "Image" ILIKE '%\\Code.exe'
        OR "Image" ILIKE '%\\brave.exe'
        OR "Image" ILIKE '%\\opera.exe'
        OR "Image" ILIKE '%\\MicrosoftEdgeUpdate.exe'
        OR "Image" ILIKE '%\\GoogleUpdate.exe'
      )
    )
    OR
    (
      "EventID" IN ('12','13','14')
      AND (
        "TargetObject" ILIKE '%ExtensionInstallForcelist%'
        OR "TargetObject" ILIKE '%ExtensionInstallAllowlist%'
        OR "TargetObject" ILIKE '%ExtensionInstallBlacklist%'
        OR (
          "TargetObject" ILIKE '%\\Extensions\\%'
          AND (
            "TargetObject" ILIKE '%\\Chrome\\%'
            OR "TargetObject" ILIKE '%\\Edge\\%'
            OR "TargetObject" ILIKE '%\\Chromium\\%'
          )
        )
      )
    )
    OR
    (
      "EventID" = '1'
      AND (
        "CommandLine" ILIKE '%--load-extension%'
        OR "CommandLine" ILIKE '%--packed-extension%'
        OR "CommandLine" ILIKE '%--allow-outdated-plugins%'
        OR "CommandLine" ILIKE '%code --install-extension%'
        OR "CommandLine" ILIKE '%code-insiders --install-extension%'
        OR ("CommandLine" ILIKE '%.vsix%' AND "CommandLine" ILIKE '%install%')
        OR (
          "CommandLine" ILIKE '%.crx%'
          AND ("CommandLine" ILIKE '%chrome%' OR "CommandLine" ILIKE '%edge%' OR "CommandLine" ILIKE '%brave%')
        )
      )
    )
  )
  AND startTime > NOW() - 86400000
ORDER BY startTime DESC

QRadar AQL query detecting T1176 Software Extension abuse from Sysmon event logs. Correlates Sysmon EventID 11 (file create) for suspicious extension file writes to browser/IDE directories, EventIDs 12/13/14 (registry create/set/delete) for forced extension policy manipulation, and EventID 1 (process create) for command-line extension installation. Filters legitimate browser and updater processes to reduce noise.

high severity medium confidence

Data Sources

Microsoft Windows Security Event Log log source Sysmon log source via Windows Event Forwarding or direct agent

Required Tables

events

False Positives

Enterprise MDM or endpoint management tools (Intune, SCCM, Jamf) pushing browser extensions via registry GPO settings will generate ExtensionInstallForcelist matches
DevOps engineers and QA teams running automated browser testing frameworks (Selenium, Playwright) frequently use --load-extension to load test extensions in CI pipelines
Software packaging scripts that extract and stage .crx, .xpi, or .vsix files to local directories as part of offline installation bundles will match the file write branch

Sumo Logic CSE

sql

_sourceCategory=*windows*sysmon* OR _sourceCategory=*sysmon*
| parse "<EventID>*</EventID>" as EventID nodrop
| parse "<TargetFilename>*</TargetFilename>" as TargetFilename nodrop
| parse "<TargetObject>*</TargetObject>" as TargetObject nodrop
| parse "<CommandLine>*</CommandLine>" as CommandLine nodrop
| parse "<Image>*</Image>" as Image nodrop
| parse "<Computer>*</Computer>" as Computer nodrop
| parse "<User>*</User>" as User nodrop
| where
  (
    EventID = "11"
    and (
      TargetFilename matches "*AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions*"
      or TargetFilename matches "*AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Extensions*"
      or TargetFilename matches "*AppData\\Roaming\\Mozilla\\Firefox\\Profiles*"
      or TargetFilename matches "*.vscode\\extensions*"
      or TargetFilename matches "*AppData\\Roaming\\Code\\extensions*"
    )
    and (
      TargetFilename matches "*.crx"
      or TargetFilename matches "*.xpi"
      or TargetFilename matches "*.vsix"
      or TargetFilename matches "*.js"
      or TargetFilename matches "*manifest.json"
    )
    and not (
      Image matches "*\\chrome.exe"
      or Image matches "*\\msedge.exe"
      or Image matches "*\\firefox.exe"
      or Image matches "*\\Code.exe"
      or Image matches "*\\brave.exe"
      or Image matches "*\\MicrosoftEdgeUpdate.exe"
      or Image matches "*\\GoogleUpdate.exe"
    )
  )
  or (
    EventID in ("12", "13", "14")
    and (
      TargetObject matches "*ExtensionInstallForcelist*"
      or TargetObject matches "*ExtensionInstallAllowlist*"
      or TargetObject matches "*ExtensionInstallBlacklist*"
      or (
        TargetObject matches "*\\Extensions\\*"
        and (
          TargetObject matches "*\\Chrome\\*"
          or TargetObject matches "*\\Edge\\*"
          or TargetObject matches "*\\Chromium\\*"
        )
      )
    )
  )
  or (
    EventID = "1"
    and (
      CommandLine matches "*--load-extension*"
      or CommandLine matches "*--packed-extension*"
      or CommandLine matches "*--allow-outdated-plugins*"
      or CommandLine matches "*code --install-extension*"
      or CommandLine matches "*code-insiders --install-extension*"
      or (CommandLine matches "*.vsix*" and CommandLine matches "*install*")
      or (
        CommandLine matches "*.crx*"
        and (CommandLine matches "*chrome*" or CommandLine matches "*edge*" or CommandLine matches "*brave*")
      )
    )
  )
| eval DetectionType = if(EventID = "11", "SuspiciousExtensionFileWrite",
    if(EventID in ("12", "13", "14"), "ExtensionRegistryForceInstall",
    if(EventID = "1", "ExtensionCLIInstall", "Unknown")))
| eval ArtifactPath = if(EventID = "11", TargetFilename,
    if(EventID in ("12", "13", "14"), TargetObject, CommandLine))
| fields _messageTime, Computer, User, Image, CommandLine, ArtifactPath, DetectionType, EventID
| sort by _messageTime desc

Sumo Logic search detecting T1176 Software Extension abuse by parsing Sysmon XML event data from Windows endpoints. Identifies three attack vectors: suspicious extension file writes (Sysmon EID 11) to Chrome, Edge, Firefox, and VS Code extension directories excluding legitimate browser processes; registry policy manipulation (Sysmon EID 12/13/14) targeting ExtensionInstallForcelist and related keys; and command-line extension loading or installation (Sysmon EID 1) via browser flags or VS Code CLI.

high severity medium confidence

Data Sources

Sumo Logic Installed Collector with Windows Event Log source Sysmon for Windows configured with file, registry, and process monitoring

Required Tables

Windows Sysmon Operational event log (_sourceCategory matching sysmon)

False Positives

Helpdesk teams or system administrators manually installing approved browser extensions on user machines via command-line scripting for standardized deployment
Security research or malware analysis workstations that intentionally load unpacked browser extensions or test .crx/.xpi packages as part of threat analysis workflows
Application whitelisting or endpoint management agents that legitimately read or write extension metadata files during inventory or compliance scanning operations

Google Chronicle / SecOps

yaral

rule t1176_software_extension_abuse {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1176 Software Extension abuse: suspicious file writes to browser/IDE extension directories, registry forced-install policy modification, and CLI-based extension loading or installation"
    mitre_attack_technique = "T1176"
    mitre_attack_tactic = "Persistence"
    severity = "HIGH"
    confidence = "MEDIUM"
    created = "2026-04-19"

  events:
    (
      // Branch 1: Suspicious file creation in browser or IDE extension directories
      $e.metadata.event_type = "FILE_CREATION"
      and (
        re.regex($e.target.file.full_path, `(?i)AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\`)
        or re.regex($e.target.file.full_path, `(?i)AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Extensions\\`)
        or re.regex($e.target.file.full_path, `(?i)AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\.*\\extensions\\`)
        or re.regex($e.target.file.full_path, `(?i)\.vscode\\extensions\\`)
        or re.regex($e.target.file.full_path, `(?i)AppData\\Roaming\\Code\\extensions\\`)
      )
      and (
        re.regex($e.target.file.full_path, `(?i)\.(crx|xpi|vsix|js)$`)
        or re.regex($e.target.file.full_path, `(?i)manifest\.json$`)
      )
      and not re.regex($e.principal.process.file.full_path, `(?i)(chrome\.exe|msedge\.exe|firefox\.exe|Code\.exe|brave\.exe|opera\.exe|MicrosoftEdgeUpdate\.exe|GoogleUpdate\.exe|chrome_updater\.exe)$`)
    )
    or
    (
      // Branch 2: Registry modification for forced extension installation policy
      $e.metadata.event_type = "REGISTRY_MODIFICATION"
      and (
        re.regex($e.target.registry.registry_key, `(?i)ExtensionInstallForcelist`)
        or re.regex($e.target.registry.registry_key, `(?i)ExtensionInstallAllowlist`)
        or re.regex($e.target.registry.registry_key, `(?i)ExtensionInstallBlacklist`)
        or (
          re.regex($e.target.registry.registry_key, `(?i)\\Extensions\\.`)
          and (
            re.regex($e.target.registry.registry_key, `(?i)\\Chrome\\`)
            or re.regex($e.target.registry.registry_key, `(?i)\\Edge\\`)
            or re.regex($e.target.registry.registry_key, `(?i)\\Chromium\\`)
          )
        )
      )
    )
    or
    (
      // Branch 3: CLI-based extension installation or loading
      $e.metadata.event_type = "PROCESS_LAUNCH"
      and (
        re.regex($e.target.process.command_line, `(?i)(--load-extension|--packed-extension|--allow-outdated-plugins)`)
        or re.regex($e.target.process.command_line, `(?i)code(-insiders)?\s+--install-extension`)
        or (
          re.regex($e.target.process.command_line, `(?i)\.vsix`)
          and re.regex($e.target.process.command_line, `(?i)install`)
        )
        or (
          re.regex($e.target.process.command_line, `(?i)\.crx`)
          and re.regex($e.target.process.command_line, `(?i)(chrome|edge|brave)`)
        )
      )
    )

  condition:
    $e
}

Chronicle YARA-L 2.0 rule detecting T1176 Software Extension abuse across three UDM event types. FILE_CREATION events targeting browser and IDE extension directories for .crx/.xpi/.vsix/manifest.json/.js files by non-browser processes; REGISTRY_MODIFICATION events writing to ExtensionInstallForcelist, ExtensionInstallAllowlist, or ExtensionInstallBlacklist policy keys; and PROCESS_LAUNCH events with extension-loading command-line flags or VS Code extension installation arguments.

high severity medium confidence

Data Sources

Google Chronicle with Google Security Operations ingestion Windows endpoint telemetry forwarded via Chronicle forwarder Sysmon or EDR events normalized to UDM

Required Tables

UDM events (FILE_CREATION, REGISTRY_MODIFICATION, PROCESS_LAUNCH event types)

False Positives

Enterprise browser management platforms (Google Workspace Admin, Microsoft Intune) configuring ExtensionInstallForcelist via GPO on managed corporate devices will generate high-volume registry branch alerts
Developer workstations running browser automation or web scraping tools that load unpacked extensions with --load-extension as part of normal test harness execution
Extension packaging pipelines that copy built .crx or .vsix artifacts into local extension directories during build and release processes before publishing to marketplaces

CrowdStrike LogScale (CQL)

cql

#event_simpleName in ["PeFileWritten", "AsepValueUpdate", "RegKeyUpdate", "ProcessRollup2"]
| case {
    #event_simpleName = "PeFileWritten"
      | test(TargetFileName = /(?i)(AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\|AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Extensions\\|AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\.*extensions\\|\.vscode\\extensions\\|AppData\\Roaming\\Code\\extensions\\)/)
      | test(TargetFileName = /(?i)\.(crx|xpi|vsix|js)$|manifest\.json$/)
      | test(ImageFileName != /(?i)(chrome\.exe|msedge\.exe|firefox\.exe|Code\.exe|brave\.exe|opera\.exe|MicrosoftEdgeUpdate\.exe|GoogleUpdate\.exe|chrome_updater\.exe)$/)
      | DetectionType := "SuspiciousExtensionFileWrite"
      | ArtifactPath := TargetFileName ;

    #event_simpleName in ["AsepValueUpdate", "RegKeyUpdate"]
      | test(RegObjectName = /(?i)(ExtensionInstallForcelist|ExtensionInstallAllowlist|ExtensionInstallBlacklist)|(\\Extensions\\.*\\(Chrome|Edge|Chromium)\\)/)
      | DetectionType := "ExtensionRegistryForceInstall"
      | ArtifactPath := RegObjectName ;

    #event_simpleName = "ProcessRollup2"
      | test(CommandLine = /(?i)(--load-extension|--packed-extension|--allow-outdated-plugins|code(-insiders)?\s+--install-extension)|(\.crx.*chrome|\.crx.*edge|\.crx.*brave|\.vsix.*install)/)
      | DetectionType := "ExtensionCLIInstall"
      | ArtifactPath := CommandLine ;

    * | drop()
  }
| table([_time, ComputerName, UserName, ImageFileName, CommandLine, ArtifactPath, DetectionType])
| sort(field=_time, order=desc)

CrowdStrike LogScale CQL query detecting T1176 Software Extension abuse using Falcon sensor telemetry. Uses a case-based dispatch over three Falcon event types: PeFileWritten for suspicious extension file drops (.crx/.xpi/.vsix/manifest.json/.js) into browser or IDE extension directories by non-browser processes; AsepValueUpdate/RegKeyUpdate for registry persistence via ExtensionInstallForcelist and related policy keys; and ProcessRollup2 for command-line extension installation flags (--load-extension, code --install-extension) or inline .crx/.vsix references.

high severity medium confidence

Data Sources

CrowdStrike Falcon sensor (full EDR telemetry) Falcon Data Replicator or Humio/LogScale ingestion pipeline

Required Tables

PeFileWritten Falcon events AsepValueUpdate Falcon events RegKeyUpdate Falcon events ProcessRollup2 Falcon events

False Positives

CrowdStrike Falcon itself or other endpoint agents may write files to monitored extension paths during telemetry collection or extension enumeration scans, triggering false PeFileWritten matches
Software developers using VS Code Remote extensions or Dev Containers that automatically sync and install extensions to .vscode-server paths on remote hosts via automated tooling
Corporate browser provisioning scripts that stage pre-approved .crx packages locally and install them using Chrome command-line flags as part of a standardized onboarding image build

Sigma rule & cross-platform mapping

The detection logic for Software Extensions (T1176) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1176 Sigma rules on detection.fyi

Platform-specific guides for T1176

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-04-19 Research depth: deep

References (9)

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Sideload Unpacked Chrome Extension via Command Line
Expected signal: Sysmon Event ID 1 (ProcessCreate): Image=chrome.exe, CommandLine containing '--load-extension' and '%TEMP%\malext'. Sysmon Event ID 11 (FileCreate): TargetFilename targeting the malext directory with manifest.json created by cmd.exe. DeviceProcessEvents in MDE will show the Chrome launch with --load-extension flag. DeviceFileEvents will show manifest.json creation by cmd.exe.
Test 2Force Install Browser Extension via Registry Policy
Expected signal: Sysmon Event ID 13 (RegistryValueSet): TargetObject=HKLM\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist\1, Details containing the extension ID. Image=reg.exe. DeviceRegistryEvents in MDE: RegistryKey containing 'ExtensionInstallForcelist', RegistryValueData containing the extension ID and update URL. Security Event ID 4657 (Registry value modified) if object access auditing is enabled.
Test 3Install Malicious VSCode Extension from .vsix Package
Expected signal: Sysmon Event ID 1 (ProcessCreate): Image=code.exe (or Code.exe), CommandLine containing '--install-extension' and '.vsix'. Sysmon Event ID 11 (FileCreate): Multiple file writes to %USERPROFILE%\.vscode\extensions\test.test-ext-0.0.1\ directory. DeviceProcessEvents and DeviceFileEvents in MDE will show VSCode CLI invocation and extension directory population.
Test 4Drop Extension Files Directly into Browser Extension Directory
Expected signal: Sysmon Event ID 11 (FileCreate): TargetFilename targeting Chrome Extensions directory with manifest.json and background.js, Image=cmd.exe (not chrome.exe). DeviceFileEvents in MDE: FolderPath containing 'Chrome\User Data\Default\Extensions', FileName=manifest.json and background.js, InitiatingProcessFileName=cmd.exe.
Test 5Enumerate Installed Extensions for Reconnaissance
Expected signal: Sysmon Event ID 1 (ProcessCreate): Image=powershell.exe, CommandLine referencing Chrome Extensions path and Get-ChildItem/Get-Content operations against manifest.json files. Sysmon Event ID 11 may be absent (read-only operation). DeviceProcessEvents in MDE shows PowerShell reading extension manifests. No file modification events, distinguishing this from installation activity.

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1176 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Software Extensions

What is T1176 Software Extensions?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1176

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hub

Sub-techniques (2)

Related Techniques

Same Tactic: Persistence

Popular Detections

What is T1176 Software Extensions?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1176

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hub

Sub-techniques (2)

Related Techniques

Same Tactic: Persistence

Popular Detections

Get new detections in your inbox