T1176.001 Elastic Security · Elastic

Detect Browser Extensions in Elastic Security

Adversaries may abuse internet browser extensions to establish persistent access to victim systems. Malicious extensions can be silently installed by modifying Chromium-based browser Preferences or Secure Preferences files while the browser is closed, via Windows Registry extension force-install policies, or through social engineering. Once installed, malicious extensions can steal credentials, cookies, and form data; capture screenshots; exfiltrate data to attacker-controlled servers; or establish command-and-control channels. Threat actors including Kimsuky (TRANSLATEXT), Lumma Stealer, Mispadu, and Grandoreiro have used malicious browser extensions in targeted campaigns.

MITRE ATT&CK

Tactic
Persistence
Technique
T1176 Software Extensions
Sub-technique
T1176.001 Browser Extensions
Canonical reference
https://attack.mitre.org/techniques/T1176/001/

Elastic Detection Query

Elastic Security (Elastic)
eql 
any where (
  /* Branch 1: Suspicious process writing to browser extension directories or files */
  (
    event.category == "file" and
    event.action in ("creation", "overwrite", "modification") and
    (
      file.path like~ "*\\Google\\Chrome\\User Data\\*" or
      file.path like~ "*\\Microsoft\\Edge\\User Data\\*" or
      file.path like~ "*\\BraveSoftware\\Brave-Browser\\User Data\\*" or
      file.path like~ "*\\Opera Software\\Opera Stable\\*" or
      file.path like~ "*\\Chromium\\User Data\\*"
    ) and
    (
      file.path like~ "*\\Extensions\\*" or
      file.name in~ ("Preferences", "Secure Preferences", "manifest.json", "background.js", "content_script.js", "inject.js")
    ) and
    process.name in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "mshta.exe", "cscript.exe", "regsvr32.exe", "rundll32.exe", "msiexec.exe", "certutil.exe", "curl.exe", "wget.exe", "bitsadmin.exe")
  ) or
  /* Branch 2: Preferences modified while browser is not running */
  (
    event.category == "file" and
    event.action in ("creation", "overwrite", "modification") and
    (
      file.path like~ "*\\Google\\Chrome\\User Data\\*" or
      file.path like~ "*\\Microsoft\\Edge\\User Data\\*" or
      file.path like~ "*\\BraveSoftware\\Brave-Browser\\User Data\\*"
    ) and
    file.name in~ ("Preferences", "Secure Preferences") and
    not process.name in~ ("chrome.exe", "msedge.exe", "brave.exe", "opera.exe", "chromium.exe", "explorer.exe", "TextInputHost.exe")
  ) or
  /* Branch 3: Registry force-install extension policy creation */
  (
    event.category == "registry" and
    event.action in ("modification", "creation") and
    (
      registry.path like~ "*\\Policies\\Google\\Chrome\\ExtensionInstallForcelist*" or
      registry.path like~ "*\\Policies\\Microsoft\\Edge\\ExtensionInstallForcelist*" or
      registry.path like~ "*\\Policies\\BraveSoftware\\Brave\\ExtensionInstallForcelist*" or
      registry.path like~ "*\\Policies\\Google\\Chrome\\ExtensionInstallAllowlist*"
    )
  ) or
  /* Branch 4: New extension directory created by non-browser process */
  (
    event.category == "file" and
    event.type == "dir" and
    event.action == "creation" and
    (
      file.path like~ "*\\Google\\Chrome\\User Data\\*\\Extensions\\*" or
      file.path like~ "*\\Microsoft\\Edge\\User Data\\*\\Extensions\\*" or
      file.path like~ "*\\BraveSoftware\\Brave-Browser\\User Data\\*\\Extensions\\*"
    ) and
    not process.name in~ ("chrome.exe", "msedge.exe", "brave.exe", "chromium.exe")
  )
)
high severity high confidence

Detects malicious browser extension installation via four detection branches: suspicious scripting/LOLBin processes writing to Chromium extension directories or key files (Preferences, manifest.json, background.js), browser Preferences files modified while the browser is not the writing process, registry-based ExtensionInstallForcelist policy creation, and new extension directories created by non-browser processes. Covers Chrome, Edge, Brave, Opera, and Chromium. Maps to MITRE ATT&CK T1176.001.

Data Sources

Elastic Endpoint Security (Elastic Defend)Sysmon via Winlogbeat or Elastic Agent FleetWindows Security Event Log via Winlogbeat

Required Tables

logs-endpoint.events.file-*logs-endpoint.events.registry-*winlogbeat-*

False Positives & Tuning

  • Enterprise Group Policy deployments pushing approved browser extensions via ExtensionInstallForcelist registry keys — correlate against AD GPO change management records and expected GPO names; registry writes from SYSTEM or domain admin accounts during scheduled policy refresh are expected
  • Browser auto-update and extension sync processes writing to User Data directories during legitimate update cycles — validate by confirming process.executable matches official vendor installation paths such as C:\Program Files\Google\Chrome\Application\chrome.exe or C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  • Software deployment tools (Intune Management Extension, SCCM client, Chocolatey) installing or configuring browser extensions as part of enterprise software packages — check if initiating process matches known deployment agent paths and correlate against CMDB deployment windows
  • Developers testing unpacked extensions by editing manifest.json or content scripts directly on developer workstations — apply suppression for machines in developer OUs or with Visual Studio Code as a parent process
  • Browser profile migration or enterprise onboarding tools copying Preferences files between machines — validate against known migration tool process names and onboarding ticket records
Download portable Sigma rule (.yml)

Other platforms for T1176.001

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Silently Install Chrome Extension via Preferences File Modification

    Expected signal: Sysmon Event ID 11: File Create/Modify with TargetFilename ending in '\Google\Chrome\User Data\Default\Preferences', Image=powershell.exe. Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Preferences' and 'ConvertFrom-Json'. DeviceFileEvents (MDE): FolderPath containing 'Google\Chrome\User Data\Default', FileName='Preferences', InitiatingProcessFileName='powershell.exe'.

  2. Test 2Force-Install Browser Extension via Registry Policy

    Expected signal: Sysmon Event ID 13: Registry Value Set with TargetObject containing 'SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist', Details containing the extension ID and update URL, Image=reg.exe. DeviceRegistryEvents (MDE): RegistryKey containing 'ExtensionInstallForcelist', RegistryValueData='nmmhkkegccagdldgiimedpiccmgmieda;...', InitiatingProcessFileName='reg.exe'.

  3. Test 3Drop Malicious Extension Files to Browser Extension Directory

    Expected signal: Sysmon Event ID 11: Multiple File Create events with TargetFilename in '...Chrome\User Data\Default\Extensions\abcdefghijklmnopabcdefghijklmnop\1.0_0\' for manifest.json, background.js, and content.js, all with Image=powershell.exe. Sysmon Event ID 1: PowerShell process create with CommandLine referencing extension directory and manifest content. DeviceFileEvents (MDE): Multiple records with FolderPath containing 'Extensions\abcdefghijklmnopabcdefghijklmnop', InitiatingProcessFileName='powershell.exe'.

  4. Test 4Enumerate Installed Browser Extensions for Reconnaissance

    Expected signal: Sysmon Event ID 1: PowerShell process create with CommandLine referencing 'Extensions' and 'manifest.json'. DeviceFileEvents (MDE): Multiple FileRead events on manifest.json files in extension directories with InitiatingProcessFileName='powershell.exe'. This test generates lower-confidence telemetry (reads, not writes) suitable for hunting queries rather than high-confidence alerting.

  5. Test 5Install Extension via .CRX File Drop and Chrome Command Line

    Expected signal: Sysmon Event ID 1: PowerShell process create writing manifest.json to TEMP directory. If Chrome launch is executed: Sysmon Event ID 1 for chrome.exe with CommandLine containing '--load-extension' pointing to temp directory. DeviceProcessEvents (MDE): chrome.exe launched with non-standard command line arguments including '--load-extension'. DeviceFileEvents: manifest.json created in %TEMP% by powershell.exe.

Last updated: 2026-04-19 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1176.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1176Software Extensions

Related Sub-techniques

T1176.002IDE Extensions

Related Techniques

T1176Software ExtensionsT1539Steal Web Session CookieT1555.003Credentials from Web BrowsersT1113Screen CaptureT1056.003Web Portal CaptureT1071.001Web ProtocolsT1074.001Local Data StagingT1059.001PowerShellT1547Boot or Logon Autostart ExecutionT1112Modify Registry

Same Tactic: Persistence

Popular Detections