T1176.001 IBM QRadar · QRadar

Detect Browser Extensions in IBM QRadar

Adversaries may abuse internet browser extensions to establish persistent access to victim systems. Malicious extensions can be silently installed by modifying Chromium-based browser Preferences or Secure Preferences files while the browser is closed, via Windows Registry extension force-install policies, or through social engineering. Once installed, malicious extensions can steal credentials, cookies, and form data; capture screenshots; exfiltrate data to attacker-controlled servers; or establish command-and-control channels. Threat actors including Kimsuky (TRANSLATEXT), Lumma Stealer, Mispadu, and Grandoreiro have used malicious browser extensions in targeted campaigns.

MITRE ATT&CK

Tactic
Persistence
Technique
T1176 Software Extensions
Sub-technique
T1176.001 Browser Extensions
Canonical reference
https://attack.mitre.org/techniques/T1176/001/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  devicehostname AS hostname,
  username,
  QIDNAME(qid) AS event_name,
  "Image" AS process_image,
  "CommandLine" AS command_line,
  "TargetFilename" AS target_filename,
  "TargetObject" AS registry_key,
  "Details" AS registry_value,
  LOGSOURCENAME(logsourceid) AS log_source
FROM events
WHERE
  devicetime >= NOW() - 86400000
  AND (
    (
      "EventCode" = '11'
      AND (
        "TargetFilename" ILIKE '%\Google\Chrome\User Data\%'
        OR "TargetFilename" ILIKE '%\Microsoft\Edge\User Data\%'
        OR "TargetFilename" ILIKE '%\BraveSoftware\Brave-Browser\User Data\%'
        OR "TargetFilename" ILIKE '%\Opera Software\Opera Stable\%'
        OR "TargetFilename" ILIKE '%\Chromium\User Data\%'
      )
      AND (
        "TargetFilename" ILIKE '%\Extensions\%'
        OR "TargetFilename" ILIKE '%Preferences'
        OR "TargetFilename" ILIKE '%Secure Preferences'
        OR "TargetFilename" ILIKE '%manifest.json'
        OR "TargetFilename" ILIKE '%background.js'
        OR "TargetFilename" ILIKE '%content_script.js'
        OR "TargetFilename" ILIKE '%inject.js'
      )
    )
    OR (
      "EventCode" = '13'
      AND (
        "TargetObject" ILIKE '%Policies\Google\Chrome\ExtensionInstallForcelist%'
        OR "TargetObject" ILIKE '%Policies\Microsoft\Edge\ExtensionInstallForcelist%'
        OR "TargetObject" ILIKE '%Policies\BraveSoftware\Brave\ExtensionInstallForcelist%'
        OR "TargetObject" ILIKE '%Policies\Google\Chrome\ExtensionInstallAllowlist%'
      )
    )
  )
ORDER BY devicetime DESC
high severity high confidence

Detects browser extension abuse via Sysmon events forwarded to IBM QRadar. Monitors Sysmon EventCode 11 (FileCreate) for writes to Chromium browser extension directories and critical preference files across Chrome, Edge, Brave, Opera, and Chromium profiles. Also monitors Sysmon EventCode 13 (RegistrySetValue) for creation of ExtensionInstallForcelist and ExtensionInstallAllowlist registry policies used to force-push extensions. Maps to MITRE ATT&CK T1176.001.

Data Sources

Microsoft Windows Sysmon (via WinCollect or Universal DSM)IBM QRadar SIEM events table

Required Tables

events

False Positives & Tuning

  • IT-managed Active Directory Group Policy deploying approved extensions to ExtensionInstallForcelist — validate against authorized GPO change records; filter by Image field showing legitimate GPO processing tools such as gpo_update.exe or svchost.exe running under SYSTEM from expected parent processes
  • Browser installer or version update manager (GoogleUpdate.exe, MicrosoftEdgeUpdate.exe, brave_browser_update.exe) writing to User Data paths during extension updates — correlate Image field against known vendor update binary paths and verify digital signature validity
  • Enterprise configuration management agents (Ansible WinRM, Chef, Salt Minion) applying sanctioned browser configuration policies — cross-reference with CMDB change records and confirm CommandLine includes expected configuration parameters
Download portable Sigma rule (.yml)

Other platforms for T1176.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Silently Install Chrome Extension via Preferences File Modification

    Expected signal: Sysmon Event ID 11: File Create/Modify with TargetFilename ending in '\Google\Chrome\User Data\Default\Preferences', Image=powershell.exe. Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Preferences' and 'ConvertFrom-Json'. DeviceFileEvents (MDE): FolderPath containing 'Google\Chrome\User Data\Default', FileName='Preferences', InitiatingProcessFileName='powershell.exe'.

  2. Test 2Force-Install Browser Extension via Registry Policy

    Expected signal: Sysmon Event ID 13: Registry Value Set with TargetObject containing 'SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist', Details containing the extension ID and update URL, Image=reg.exe. DeviceRegistryEvents (MDE): RegistryKey containing 'ExtensionInstallForcelist', RegistryValueData='nmmhkkegccagdldgiimedpiccmgmieda;...', InitiatingProcessFileName='reg.exe'.

  3. Test 3Drop Malicious Extension Files to Browser Extension Directory

    Expected signal: Sysmon Event ID 11: Multiple File Create events with TargetFilename in '...Chrome\User Data\Default\Extensions\abcdefghijklmnopabcdefghijklmnop\1.0_0\' for manifest.json, background.js, and content.js, all with Image=powershell.exe. Sysmon Event ID 1: PowerShell process create with CommandLine referencing extension directory and manifest content. DeviceFileEvents (MDE): Multiple records with FolderPath containing 'Extensions\abcdefghijklmnopabcdefghijklmnop', InitiatingProcessFileName='powershell.exe'.

  4. Test 4Enumerate Installed Browser Extensions for Reconnaissance

    Expected signal: Sysmon Event ID 1: PowerShell process create with CommandLine referencing 'Extensions' and 'manifest.json'. DeviceFileEvents (MDE): Multiple FileRead events on manifest.json files in extension directories with InitiatingProcessFileName='powershell.exe'. This test generates lower-confidence telemetry (reads, not writes) suitable for hunting queries rather than high-confidence alerting.

  5. Test 5Install Extension via .CRX File Drop and Chrome Command Line

    Expected signal: Sysmon Event ID 1: PowerShell process create writing manifest.json to TEMP directory. If Chrome launch is executed: Sysmon Event ID 1 for chrome.exe with CommandLine containing '--load-extension' pointing to temp directory. DeviceProcessEvents (MDE): chrome.exe launched with non-standard command line arguments including '--load-extension'. DeviceFileEvents: manifest.json created in %TEMP% by powershell.exe.

Last updated: 2026-04-19 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1176.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1176Software Extensions

Related Sub-techniques

T1176.002IDE Extensions

Related Techniques

T1176Software ExtensionsT1539Steal Web Session CookieT1555.003Credentials from Web BrowsersT1113Screen CaptureT1056.003Web Portal CaptureT1071.001Web ProtocolsT1074.001Local Data StagingT1059.001PowerShellT1547Boot or Logon Autostart ExecutionT1112Modify Registry

Same Tactic: Persistence

Popular Detections