Detect Browser Extensions in Google Chronicle
Adversaries may abuse internet browser extensions to establish persistent access to victim systems. Malicious extensions can be silently installed by modifying Chromium-based browser Preferences or Secure Preferences files while the browser is closed, via Windows Registry extension force-install policies, or through social engineering. Once installed, malicious extensions can steal credentials, cookies, and form data; capture screenshots; exfiltrate data to attacker-controlled servers; or establish command-and-control channels. Threat actors including Kimsuky (TRANSLATEXT), Lumma Stealer, Mispadu, and Grandoreiro have used malicious browser extensions in targeted campaigns.
MITRE ATT&CK
- Tactic
- Persistence
- Technique
- T1176 Software Extensions
- Sub-technique
- T1176.001 Browser Extensions
- Canonical reference
- https://attack.mitre.org/techniques/T1176/001/
YARA-L Detection Query
rule t1176_001_browser_extension_file_abuse {
meta:
author = "Argus Detection Engineering"
description = "Detects suspicious non-browser processes writing to Chromium browser extension directories or modifying Preferences files, indicating potential silent extension installation (T1176.001)"
severity = "HIGH"
priority = "HIGH"
mitre_attack_tactic = "Persistence"
mitre_attack_technique = "T1176.001"
reference = "https://attack.mitre.org/techniques/T1176/001/"
false_positives = "Enterprise GPO extension deployment, browser update processes, SCCM or Intune managed extension installation"
events:
$e.metadata.event_type = "FILE_CREATION"
re.regex(
$e.target.file.full_path,
`(?i)\\(Google\\Chrome|Microsoft\\Edge|BraveSoftware\\Brave-Browser|Opera Software\\Opera Stable|Chromium)\\User Data\\`
)
(
re.regex($e.target.file.full_path, `(?i)\\Extensions\\`) OR
re.regex($e.target.file.name, `(?i)^(Preferences|Secure Preferences|manifest\.json|background\.js|content_script\.js|inject\.js)$`)
)
NOT re.regex(
$e.principal.process.file.full_path,
`(?i)(chrome|msedge|brave|opera|chromium|GoogleUpdate|MicrosoftEdgeUpdate|TextInputHost|explorer)\.exe$`
)
condition:
$e
}
rule t1176_001_browser_extension_forcelist_registry {
meta:
author = "Argus Detection Engineering"
description = "Detects creation or modification of browser extension force-install registry policies used to silently deploy browser extensions without user consent (T1176.001)"
severity = "HIGH"
priority = "HIGH"
mitre_attack_tactic = "Persistence"
mitre_attack_technique = "T1176.001"
reference = "https://attack.mitre.org/techniques/T1176/001/"
false_positives = "Legitimate IT Group Policy applying approved enterprise browser extension policies"
events:
$e.metadata.event_type = "REGISTRY_MODIFICATION"
re.regex(
$e.target.registry.registry_key,
`(?i)SOFTWARE\\Policies\\(Google\\Chrome|Microsoft\\Edge|BraveSoftware\\Brave)\\ExtensionInstall(Forcelist|Allowlist)`
)
condition:
$e
}Two Chronicle YARA-L 2.0 rules covering MITRE ATT&CK T1176.001. Rule 1 (t1176_001_browser_extension_file_abuse) triggers on FILE_CREATION events where non-browser processes write to Chromium browser extension directories or critical preference and script files across Chrome, Edge, Brave, Opera, and Chromium profiles. Rule 2 (t1176_001_browser_extension_forcelist_registry) triggers on REGISTRY_MODIFICATION events targeting ExtensionInstallForcelist and ExtensionInstallAllowlist policy keys used to silently force-push extensions. Both rules use UDM field model with YARA-L regex matching.
Data Sources
Required Tables
False Positives & Tuning
- IT administrators deploying sanctioned extensions via Active Directory Group Policy will trigger the registry rule when ExtensionInstallForcelist keys are created — correlate principal.user.userid against known domain admin and GPO management accounts; alert should be reviewed but not suppressed outright as adversaries can also use admin accounts
- Official browser update agents (GoogleUpdate, MicrosoftEdgeUpdate) writing extension archives to User Data paths during background patching cycles — these are excluded by the NOT regex clause but verify the exclusion pattern covers all update agent binary names present in your environment
- Corporate endpoint security products performing deep inspection or quarantine operations that touch browser profile paths — validate by correlating principal.process.file.full_path against known EDR and AV vendor installation directories and apply targeted exclusions
Other platforms for T1176.001
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Silently Install Chrome Extension via Preferences File Modification
Expected signal: Sysmon Event ID 11: File Create/Modify with TargetFilename ending in '\Google\Chrome\User Data\Default\Preferences', Image=powershell.exe. Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Preferences' and 'ConvertFrom-Json'. DeviceFileEvents (MDE): FolderPath containing 'Google\Chrome\User Data\Default', FileName='Preferences', InitiatingProcessFileName='powershell.exe'.
- Test 2Force-Install Browser Extension via Registry Policy
Expected signal: Sysmon Event ID 13: Registry Value Set with TargetObject containing 'SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist', Details containing the extension ID and update URL, Image=reg.exe. DeviceRegistryEvents (MDE): RegistryKey containing 'ExtensionInstallForcelist', RegistryValueData='nmmhkkegccagdldgiimedpiccmgmieda;...', InitiatingProcessFileName='reg.exe'.
- Test 3Drop Malicious Extension Files to Browser Extension Directory
Expected signal: Sysmon Event ID 11: Multiple File Create events with TargetFilename in '...Chrome\User Data\Default\Extensions\abcdefghijklmnopabcdefghijklmnop\1.0_0\' for manifest.json, background.js, and content.js, all with Image=powershell.exe. Sysmon Event ID 1: PowerShell process create with CommandLine referencing extension directory and manifest content. DeviceFileEvents (MDE): Multiple records with FolderPath containing 'Extensions\abcdefghijklmnopabcdefghijklmnop', InitiatingProcessFileName='powershell.exe'.
- Test 4Enumerate Installed Browser Extensions for Reconnaissance
Expected signal: Sysmon Event ID 1: PowerShell process create with CommandLine referencing 'Extensions' and 'manifest.json'. DeviceFileEvents (MDE): Multiple FileRead events on manifest.json files in extension directories with InitiatingProcessFileName='powershell.exe'. This test generates lower-confidence telemetry (reads, not writes) suitable for hunting queries rather than high-confidence alerting.
- Test 5Install Extension via .CRX File Drop and Chrome Command Line
Expected signal: Sysmon Event ID 1: PowerShell process create writing manifest.json to TEMP directory. If Chrome launch is executed: Sysmon Event ID 1 for chrome.exe with CommandLine containing '--load-extension' pointing to temp directory. DeviceProcessEvents (MDE): chrome.exe launched with non-standard command line arguments including '--load-extension'. DeviceFileEvents: manifest.json created in %TEMP% by powershell.exe.
References (12)
- https://attack.mitre.org/techniques/T1176/001/
- https://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/
- https://developer.chrome.com/extensions
- https://www.icebrg.io/blog/malicious-chrome-extensions-enable-criminals-to-impact-over-half-a-million-users-and-global-businesses
- https://www.xorrior.com/No-Place-Like-Chrome/
- https://isc.sans.edu/forums/diary/CatchAll+Google+Chrome+Malicious+Extension+Steals+All+Posted+Data/22976/
- https://www.proofpoint.com/uk/blog/threat-insight/ta413-leverages-new-friarfox-browser-extension-target-gmail-accounts-global
- https://www.welivesecurity.com/2017/07/20/stantinko-massive-adware-campaign-operating-covertly-since-2012/
- https://www.microsoft.com/en-us/security/blog/2020/12/10/widespread-malware-campaign-seeks-to-silently-inject-ads-into-search-results-affects-multiple-browsers/
- https://learn.microsoft.com/en-us/deployedge/microsoft-edge-manage-extensions-ref-guide
- https://support.google.com/chrome/a/answer/9296680
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md
Unlock Pro Content
Get the full detection package for T1176.001 including response playbook, investigation guide, and atomic red team tests.