T1176.001

Browser Extensions

Adversaries may abuse internet browser extensions to establish persistent access to victim systems. Malicious extensions can be silently installed by modifying Chromium-based browser Preferences or Secure Preferences files while the browser is closed, via Windows Registry extension force-install policies, or through social engineering. Once installed, malicious extensions can steal credentials, cookies, and form data; capture screenshots; exfiltrate data to attacker-controlled servers; or establish command-and-control channels. Threat actors including Kimsuky (TRANSLATEXT), Lumma Stealer, Mispadu, and Grandoreiro have used malicious browser extensions in targeted campaigns.

Microsoft Sentinel / Defender

kusto

let BrowserExtensionPaths = dynamic([
  "\\Google\\Chrome\\User Data\\",
  "\\Microsoft\\Edge\\User Data\\",
  "\\BraveSoftware\\Brave-Browser\\User Data\\",
  "\\Opera Software\\Opera Stable\\",
  "\\Chromium\\User Data\\"
]);
let SuspiciousExtensionWriters = dynamic([
  "powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "mshta.exe",
  "cscript.exe", "regsvr32.exe", "rundll32.exe", "msiexec.exe",
  "certutil.exe", "curl.exe", "wget.exe", "bitsadmin.exe"
]);
// Branch 1: Suspicious process writing to browser extension directories or Preferences files
let Branch1 = DeviceFileEvents
| where Timestamp > ago(24h)
| where FolderPath has_any (BrowserExtensionPaths)
| where FileName in~ ("Preferences", "Secure Preferences", "manifest.json", "background.js", "content_script.js", "inject.js")
  or FolderPath has "\\Extensions\\"
| where InitiatingProcessFileName has_any (SuspiciousExtensionWriters)
| extend DetectionBranch = "SuspiciousProcessWritingExtension"
| project Timestamp, DeviceName, AccountName, ActionType, FolderPath, FileName,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionBranch;
// Branch 2: Browser Preferences/Secure Preferences modified while browser is NOT running
let Branch2 = DeviceFileEvents
| where Timestamp > ago(24h)
| where FolderPath has_any (BrowserExtensionPaths)
| where FileName in~ ("Preferences", "Secure Preferences")
| where InitiatingProcessFileName !in~ ("chrome.exe", "msedge.exe", "brave.exe", "opera.exe", "chromium.exe")
| where InitiatingProcessFileName !in~ ("explorer.exe", "TextInputHost.exe")
| extend DetectionBranch = "PreferencesModifiedOutsideBrowser"
| project Timestamp, DeviceName, AccountName, ActionType, FolderPath, FileName,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionBranch;
// Branch 3: Registry force-install extension policy creation
let Branch3 = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has_any (
    "SOFTWARE\\Policies\\Google\\Chrome\\ExtensionInstallForcelist",
    "SOFTWARE\\Policies\\Microsoft\\Edge\\ExtensionInstallForcelist",
    "SOFTWARE\\Policies\\BraveSoftware\\Brave\\ExtensionInstallForcelist",
    "SOFTWARE\\Policies\\Google\\Chrome\\ExtensionInstallAllowlist"
  )
| extend DetectionBranch = "RegistryExtensionForceInstall"
| project Timestamp, DeviceName, AccountName, ActionType, RegistryKey, RegistryValueName,
          RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionBranch;
// Branch 4: New extension directory created in browser profile
let Branch4 = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType == "DirectoryCreated"
| where FolderPath matches regex @"\\(Google\\Chrome|Microsoft\\Edge|BraveSoftware\\Brave-Browser)\\User Data\\[^\\]+\\Extensions\\[a-p]{32}"
| where InitiatingProcessFileName !in~ ("chrome.exe", "msedge.exe", "brave.exe", "chromium.exe")
| extend DetectionBranch = "NewExtensionDirectoryCreated"
| project Timestamp, DeviceName, AccountName, ActionType, FolderPath,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionBranch;
union Branch1, Branch2, Branch3, Branch4
| sort by Timestamp desc

high severity medium confidence

Data Sources

File: File Creation File: File Modification Windows Registry: Windows Registry Key Creation Windows Registry: Windows Registry Key Modification Microsoft Defender for Endpoint

Required Tables

DeviceFileEvents DeviceRegistryEvents

False Positives

Enterprise MDM/group policy tools (Intune, SCCM, Workspace ONE) legitimately writing Chrome or Edge extension force-install registry keys for approved extensions like password managers or DLP agents
Browser auto-update processes or the Google Update service modifying extension directories during legitimate extension updates
IT deployment scripts using PowerShell to pre-install approved browser extensions during device provisioning (e.g., corporate new-hire imaging)
Developer workflows where web developers are actively developing and side-loading unpacked extensions in their own browser profiles
Security tools or endpoint agents that monitor or back up browser profile data and may trigger on file read/write events in extension directories

Splunk

spl

index=wineventlog earliest=-24h
(
  (
    sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
    (
      TargetFilename="*\\Google\\Chrome\\User Data\\*"
      OR TargetFilename="*\\Microsoft\\Edge\\User Data\\*"
      OR TargetFilename="*\\BraveSoftware\\Brave-Browser\\User Data\\*"
    )
    (
      TargetFilename="*\\Preferences"
      OR TargetFilename="*\\Secure Preferences"
      OR TargetFilename="*manifest.json"
      OR TargetFilename="*background.js"
      OR TargetFilename="*content_script.js"
      OR TargetFilename="*\\Extensions\\*"
    )
  )
  OR
  (
    sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=13
    (
      TargetObject="*\\Policies\\Google\\Chrome\\ExtensionInstallForcelist*"
      OR TargetObject="*\\Policies\\Microsoft\\Edge\\ExtensionInstallForcelist*"
      OR TargetObject="*\\Policies\\BraveSoftware\\Brave\\ExtensionInstallForcelist*"
      OR TargetObject="*\\Policies\\Google\\Chrome\\ExtensionInstallAllowlist*"
    )
  )
)
| eval EventType=case(
    EventCode=="11", "FileCreate",
    EventCode=="13", "RegistrySetValue",
    true(), "Unknown"
  )
| eval SuspiciousWriter=case(
    EventCode=="11" AND (match(Image, "(?i)(powershell|pwsh|cmd|wscript|mshta|cscript|regsvr32|rundll32|msiexec|certutil|curl|wget|bitsadmin)\.exe")), 1,
    EventCode=="11" AND NOT (match(Image, "(?i)(chrome|msedge|brave|opera|chromium|GoogleUpdate|MicrosoftEdgeUpdate)\.exe")), 1,
    EventCode=="13", 1,
    true(), 0
  )
| eval PreferencesModified=if(EventCode=="11" AND (match(TargetFilename, "(?i)(Preferences|Secure Preferences)$")), 1, 0)
| eval ManifestOrScriptModified=if(EventCode=="11" AND (match(TargetFilename, "(?i)(manifest\.json|background\.js|content_script\.js|inject\.js)$")), 1, 0)
| eval ExtensionDirWrite=if(EventCode=="11" AND match(TargetFilename, "(?i)\\Extensions\\"), 1, 0)
| eval ForceInstallRegistry=if(EventCode=="13", 1, 0)
| eval SuspicionScore=SuspiciousWriter + PreferencesModified + ManifestOrScriptModified + ExtensionDirWrite + ForceInstallRegistry
| where SuspicionScore >= 1
| eval IndicatorSummary=mvjoin(mvfilter(match(mvappend(
    if(PreferencesModified=1, "PreferencesModified", null()),
    if(ManifestOrScriptModified=1, "ManifestOrScriptModified", null()),
    if(ExtensionDirWrite=1, "ExtensionDirWrite", null()),
    if(ForceInstallRegistry=1, "ForceInstallRegistry", null()),
    if(SuspiciousWriter=1, "SuspiciousWriter", null())
  ), ".+")), ", ")
| table _time, host, User, EventType, Image, CommandLine, TargetFilename, TargetObject, Details, SuspicionScore, IndicatorSummary
| sort - _time

high severity medium confidence

Data Sources

File: File Creation Windows Registry: Windows Registry Key Modification Sysmon Event ID 11 Sysmon Event ID 13

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Enterprise MDM/group policy tools (Intune, SCCM) legitimately writing extension force-install registry keys for approved enterprise extensions
Browser auto-update services (GoogleUpdate, MicrosoftEdgeUpdate) modifying extension files during scheduled updates
IT provisioning scripts using PowerShell to deploy approved browser extensions during workstation imaging
Web developers side-loading unpacked extensions during development and testing workflows
DLP or browser management agents that actively manage or audit browser profile configurations

Elastic Security (EQL)

eql

any where (
  /* Branch 1: Suspicious process writing to browser extension directories or files */
  (
    event.category == "file" and
    event.action in ("creation", "overwrite", "modification") and
    (
      file.path like~ "*\\Google\\Chrome\\User Data\\*" or
      file.path like~ "*\\Microsoft\\Edge\\User Data\\*" or
      file.path like~ "*\\BraveSoftware\\Brave-Browser\\User Data\\*" or
      file.path like~ "*\\Opera Software\\Opera Stable\\*" or
      file.path like~ "*\\Chromium\\User Data\\*"
    ) and
    (
      file.path like~ "*\\Extensions\\*" or
      file.name in~ ("Preferences", "Secure Preferences", "manifest.json", "background.js", "content_script.js", "inject.js")
    ) and
    process.name in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "mshta.exe", "cscript.exe", "regsvr32.exe", "rundll32.exe", "msiexec.exe", "certutil.exe", "curl.exe", "wget.exe", "bitsadmin.exe")
  ) or
  /* Branch 2: Preferences modified while browser is not running */
  (
    event.category == "file" and
    event.action in ("creation", "overwrite", "modification") and
    (
      file.path like~ "*\\Google\\Chrome\\User Data\\*" or
      file.path like~ "*\\Microsoft\\Edge\\User Data\\*" or
      file.path like~ "*\\BraveSoftware\\Brave-Browser\\User Data\\*"
    ) and
    file.name in~ ("Preferences", "Secure Preferences") and
    not process.name in~ ("chrome.exe", "msedge.exe", "brave.exe", "opera.exe", "chromium.exe", "explorer.exe", "TextInputHost.exe")
  ) or
  /* Branch 3: Registry force-install extension policy creation */
  (
    event.category == "registry" and
    event.action in ("modification", "creation") and
    (
      registry.path like~ "*\\Policies\\Google\\Chrome\\ExtensionInstallForcelist*" or
      registry.path like~ "*\\Policies\\Microsoft\\Edge\\ExtensionInstallForcelist*" or
      registry.path like~ "*\\Policies\\BraveSoftware\\Brave\\ExtensionInstallForcelist*" or
      registry.path like~ "*\\Policies\\Google\\Chrome\\ExtensionInstallAllowlist*"
    )
  ) or
  /* Branch 4: New extension directory created by non-browser process */
  (
    event.category == "file" and
    event.type == "dir" and
    event.action == "creation" and
    (
      file.path like~ "*\\Google\\Chrome\\User Data\\*\\Extensions\\*" or
      file.path like~ "*\\Microsoft\\Edge\\User Data\\*\\Extensions\\*" or
      file.path like~ "*\\BraveSoftware\\Brave-Browser\\User Data\\*\\Extensions\\*"
    ) and
    not process.name in~ ("chrome.exe", "msedge.exe", "brave.exe", "chromium.exe")
  )
)

high severity high confidence

Data Sources

Elastic Endpoint Security (Elastic Defend) Sysmon via Winlogbeat or Elastic Agent Fleet Windows Security Event Log via Winlogbeat

Required Tables

logs-endpoint.events.file-* logs-endpoint.events.registry-* winlogbeat-*

False Positives

Enterprise Group Policy deployments pushing approved browser extensions via ExtensionInstallForcelist registry keys — correlate against AD GPO change management records and expected GPO names; registry writes from SYSTEM or domain admin accounts during scheduled policy refresh are expected
Browser auto-update and extension sync processes writing to User Data directories during legitimate update cycles — validate by confirming process.executable matches official vendor installation paths such as C:\Program Files\Google\Chrome\Application\chrome.exe or C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Software deployment tools (Intune Management Extension, SCCM client, Chocolatey) installing or configuring browser extensions as part of enterprise software packages — check if initiating process matches known deployment agent paths and correlate against CMDB deployment windows
Developers testing unpacked extensions by editing manifest.json or content scripts directly on developer workstations — apply suppression for machines in developer OUs or with Visual Studio Code as a parent process
Browser profile migration or enterprise onboarding tools copying Preferences files between machines — validate against known migration tool process names and onboarding ticket records

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  devicehostname AS hostname,
  username,
  QIDNAME(qid) AS event_name,
  "Image" AS process_image,
  "CommandLine" AS command_line,
  "TargetFilename" AS target_filename,
  "TargetObject" AS registry_key,
  "Details" AS registry_value,
  LOGSOURCENAME(logsourceid) AS log_source
FROM events
WHERE
  devicetime >= NOW() - 86400000
  AND (
    (
      "EventCode" = '11'
      AND (
        "TargetFilename" ILIKE '%\Google\Chrome\User Data\%'
        OR "TargetFilename" ILIKE '%\Microsoft\Edge\User Data\%'
        OR "TargetFilename" ILIKE '%\BraveSoftware\Brave-Browser\User Data\%'
        OR "TargetFilename" ILIKE '%\Opera Software\Opera Stable\%'
        OR "TargetFilename" ILIKE '%\Chromium\User Data\%'
      )
      AND (
        "TargetFilename" ILIKE '%\Extensions\%'
        OR "TargetFilename" ILIKE '%Preferences'
        OR "TargetFilename" ILIKE '%Secure Preferences'
        OR "TargetFilename" ILIKE '%manifest.json'
        OR "TargetFilename" ILIKE '%background.js'
        OR "TargetFilename" ILIKE '%content_script.js'
        OR "TargetFilename" ILIKE '%inject.js'
      )
    )
    OR (
      "EventCode" = '13'
      AND (
        "TargetObject" ILIKE '%Policies\Google\Chrome\ExtensionInstallForcelist%'
        OR "TargetObject" ILIKE '%Policies\Microsoft\Edge\ExtensionInstallForcelist%'
        OR "TargetObject" ILIKE '%Policies\BraveSoftware\Brave\ExtensionInstallForcelist%'
        OR "TargetObject" ILIKE '%Policies\Google\Chrome\ExtensionInstallAllowlist%'
      )
    )
  )
ORDER BY devicetime DESC

high severity high confidence

Data Sources

Microsoft Windows Sysmon (via WinCollect or Universal DSM) IBM QRadar SIEM events table

Required Tables

events

False Positives

IT-managed Active Directory Group Policy deploying approved extensions to ExtensionInstallForcelist — validate against authorized GPO change records; filter by Image field showing legitimate GPO processing tools such as gpo_update.exe or svchost.exe running under SYSTEM from expected parent processes
Browser installer or version update manager (GoogleUpdate.exe, MicrosoftEdgeUpdate.exe, brave_browser_update.exe) writing to User Data paths during extension updates — correlate Image field against known vendor update binary paths and verify digital signature validity
Enterprise configuration management agents (Ansible WinRM, Chef, Salt Minion) applying sanctioned browser configuration policies — cross-reference with CMDB change records and confirm CommandLine includes expected configuration parameters

Sumo Logic CSE

sql

(_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*winlogbeat*)
| where EventCode in ("11", "13")
| where (
    EventCode = "11"
    AND (
      TargetFilename matches "*\\Google\\Chrome\\User Data\\*"
      OR TargetFilename matches "*\\Microsoft\\Edge\\User Data\\*"
      OR TargetFilename matches "*\\BraveSoftware\\Brave-Browser\\User Data\\*"
      OR TargetFilename matches "*\\Opera Software\\Opera Stable\\*"
      OR TargetFilename matches "*\\Chromium\\User Data\\*"
    )
    AND (
      TargetFilename matches "*\\Extensions\\*"
      OR TargetFilename matches "*Preferences"
      OR TargetFilename matches "*Secure Preferences"
      OR TargetFilename matches "*manifest.json"
      OR TargetFilename matches "*background.js"
      OR TargetFilename matches "*content_script.js"
      OR TargetFilename matches "*inject.js"
    )
  )
  OR (
    EventCode = "13"
    AND (
      TargetObject matches "*Policies\\Google\\Chrome\\ExtensionInstallForcelist*"
      OR TargetObject matches "*Policies\\Microsoft\\Edge\\ExtensionInstallForcelist*"
      OR TargetObject matches "*Policies\\BraveSoftware\\Brave\\ExtensionInstallForcelist*"
      OR TargetObject matches "*Policies\\Google\\Chrome\\ExtensionInstallAllowlist*"
    )
  )
| eval SuspiciousWriter = if (
    EventCode = "11" AND (
      Image matches "*\\powershell.exe" OR Image matches "*\\pwsh.exe" OR
      Image matches "*\\cmd.exe" OR Image matches "*\\wscript.exe" OR
      Image matches "*\\mshta.exe" OR Image matches "*\\cscript.exe" OR
      Image matches "*\\regsvr32.exe" OR Image matches "*\\rundll32.exe" OR
      Image matches "*\\msiexec.exe" OR Image matches "*\\certutil.exe" OR
      Image matches "*\\curl.exe" OR Image matches "*\\wget.exe" OR
      Image matches "*\\bitsadmin.exe"
    ), 1, 0)
| eval ForceInstallRegistry = if (EventCode = "13", 1, 0)
| eval PreferencesModified = if (
    EventCode = "11" AND (
      TargetFilename matches "*Preferences" OR TargetFilename matches "*Secure Preferences"
    ), 1, 0)
| eval ExtensionDirWrite = if (
    EventCode = "11" AND TargetFilename matches "*\\Extensions\\*", 1, 0)
| eval SuspicionScore = SuspiciousWriter + ForceInstallRegistry + PreferencesModified + ExtensionDirWrite
| where SuspicionScore >= 1
| eval DetectionBranch = if (ForceInstallRegistry = 1, "ForceInstallRegistry",
    if (SuspiciousWriter = 1, "SuspiciousProcessWrite",
    if (PreferencesModified = 1, "PreferencesModifiedOutsideBrowser", "ExtensionFileWrite")))
| fields _messageTime, Computer, User, EventCode, Image, CommandLine, TargetFilename, TargetObject, Details, SuspicionScore, DetectionBranch
| sort by _messageTime desc

high severity high confidence

Data Sources

Microsoft Windows Sysmon (via Sumo Logic Windows Collector or Installed Collector) Sumo Logic Cloud SIEM Enterprise (CSE)

Required Tables

_sourceCategory=*windows* _sourceCategory=*sysmon* _sourceCategory=*winlogbeat*

False Positives

Group Policy-driven browser extension deployment writing ExtensionInstallForcelist registry keys via gpscript.exe or Group Policy client service — validate DetectionBranch=ForceInstallRegistry events against AD change management records; suppress if Image matches %SystemRoot%\System32\gpscript.exe or the Computer matches known GPO management DCs
Browser installer frameworks (GoogleUpdate.exe, MicrosoftEdgeUpdate.exe) writing extension files as part of factory or enterprise baseline provisioning — verify Image matches expected vendor update binary paths under Program Files and check for corresponding installer parent process
Endpoint configuration tools such as Puppet or Chef applying browser hardening baselines that write to extension paths — cross-reference CommandLine arguments with expected configuration playbook patterns and correlate with CMDB deployment schedules

Google Chronicle / SecOps

yaral

rule t1176_001_browser_extension_file_abuse {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects suspicious non-browser processes writing to Chromium browser extension directories or modifying Preferences files, indicating potential silent extension installation (T1176.001)"
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Persistence"
    mitre_attack_technique = "T1176.001"
    reference = "https://attack.mitre.org/techniques/T1176/001/"
    false_positives = "Enterprise GPO extension deployment, browser update processes, SCCM or Intune managed extension installation"

  events:
    $e.metadata.event_type = "FILE_CREATION"
    re.regex(
      $e.target.file.full_path,
      `(?i)\\(Google\\Chrome|Microsoft\\Edge|BraveSoftware\\Brave-Browser|Opera Software\\Opera Stable|Chromium)\\User Data\\`
    )
    (
      re.regex($e.target.file.full_path, `(?i)\\Extensions\\`) OR
      re.regex($e.target.file.name, `(?i)^(Preferences|Secure Preferences|manifest\.json|background\.js|content_script\.js|inject\.js)$`)
    )
    NOT re.regex(
      $e.principal.process.file.full_path,
      `(?i)(chrome|msedge|brave|opera|chromium|GoogleUpdate|MicrosoftEdgeUpdate|TextInputHost|explorer)\.exe$`
    )

  condition:
    $e
}

rule t1176_001_browser_extension_forcelist_registry {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects creation or modification of browser extension force-install registry policies used to silently deploy browser extensions without user consent (T1176.001)"
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Persistence"
    mitre_attack_technique = "T1176.001"
    reference = "https://attack.mitre.org/techniques/T1176/001/"
    false_positives = "Legitimate IT Group Policy applying approved enterprise browser extension policies"

  events:
    $e.metadata.event_type = "REGISTRY_MODIFICATION"
    re.regex(
      $e.target.registry.registry_key,
      `(?i)SOFTWARE\\Policies\\(Google\\Chrome|Microsoft\\Edge|BraveSoftware\\Brave)\\ExtensionInstall(Forcelist|Allowlist)`
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle SIEM Windows Endpoint Telemetry via Chronicle Forwarder or BindPlane Sysmon via Chronicle ingestion pipeline

Required Tables

UDM Events (FILE_CREATION) UDM Events (REGISTRY_MODIFICATION)

False Positives

IT administrators deploying sanctioned extensions via Active Directory Group Policy will trigger the registry rule when ExtensionInstallForcelist keys are created — correlate principal.user.userid against known domain admin and GPO management accounts; alert should be reviewed but not suppressed outright as adversaries can also use admin accounts
Official browser update agents (GoogleUpdate, MicrosoftEdgeUpdate) writing extension archives to User Data paths during background patching cycles — these are excluded by the NOT regex clause but verify the exclusion pattern covers all update agent binary names present in your environment
Corporate endpoint security products performing deep inspection or quarantine operations that touch browser profile paths — validate by correlating principal.process.file.full_path against known EDR and AV vendor installation directories and apply targeted exclusions

CrowdStrike LogScale (CQL)

cql

(#event_simpleName=WriteFile OR #event_simpleName=PeFileWritten OR #event_simpleName=RegSetValue)
| case {
    #event_simpleName in (WriteFile, PeFileWritten)
    | TargetFileName = /(?i)\\(Google\\Chrome|Microsoft\\Edge|BraveSoftware\\Brave-Browser|Opera Software\\Opera Stable|Chromium)\\User Data\\/
    | TargetFileName = /(?i)(\\Extensions\\|Preferences$|Secure Preferences$|manifest\.json$|background\.js$|content_script\.js$|inject\.js$)/
    | ImageFileName != /(?i)(chrome|msedge|brave|opera|chromium|GoogleUpdate|MicrosoftEdgeUpdate|TextInputHost|explorer)\.exe$/
    | DetectionBranch := case {
        ImageFileName = /(?i)(powershell|pwsh|cmd|wscript|mshta|cscript|regsvr32|rundll32|msiexec|certutil|curl|wget|bitsadmin)\.exe/ |
          "SuspiciousProcessWrite" ;
        TargetFileName = /(?i)(Preferences|Secure Preferences)$/ |
          "PreferencesModifiedOutsideBrowser" ;
        * | "ExtensionFileWrite"
      } ;
    #event_simpleName=RegSetValue
    | RegObjectName = /(?i)(Policies\\Google\\Chrome\\ExtensionInstallForcelist|Policies\\Microsoft\\Edge\\ExtensionInstallForcelist|Policies\\BraveSoftware\\Brave\\ExtensionInstallForcelist|Policies\\Google\\Chrome\\ExtensionInstallAllowlist)/
    | DetectionBranch := "ForceInstallRegistry" ;
  }
| table([@timestamp, #event_simpleName, ComputerName, UserName, ImageFileName, CommandLine, TargetFileName, RegObjectName, RegValueName, RegStringValue, DetectionBranch])
| sort(field=@timestamp, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection Platform CrowdStrike LogScale (formerly Humio)

Required Tables

#event_simpleName=WriteFile #event_simpleName=PeFileWritten #event_simpleName=RegSetValue

False Positives

CrowdStrike Falcon sensor or other endpoint security agents performing behavioral telemetry collection that touch browser profile directories — validate by checking whether ImageFileName matches known security vendor installation paths under Program Files and apply sensor-specific suppression if needed
Enterprise browser extension deployment via Intune Management Extension (IntuneManagementExtension.exe) or SCCM client (CcmExec.exe) writing extension policy configurations — these processes will appear in WriteFile events; correlate ComputerName against Intune/SCCM managed device lists and validate CommandLine against expected deployment parameters
Browser profile backup or sync solutions (e.g., roaming profile synchronization, enterprise browser profile management tools) accessing Preferences files during login or logoff — correlate with user session events and validate ImageFileName against known profile sync agent binaries

Last updated: 2026-04-19 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1176.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Browser Extensions

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Persistence

Popular Detections