Detect Browser Extensions in Microsoft Sentinel
Adversaries may abuse internet browser extensions to establish persistent access to victim systems. Malicious extensions can be silently installed by modifying Chromium-based browser Preferences or Secure Preferences files while the browser is closed, via Windows Registry extension force-install policies, or through social engineering. Once installed, malicious extensions can steal credentials, cookies, and form data; capture screenshots; exfiltrate data to attacker-controlled servers; or establish command-and-control channels. Threat actors including Kimsuky (TRANSLATEXT), Lumma Stealer, Mispadu, and Grandoreiro have used malicious browser extensions in targeted campaigns.
MITRE ATT&CK
- Tactic
- Persistence
- Technique
- T1176 Software Extensions
- Sub-technique
- T1176.001 Browser Extensions
- Canonical reference
- https://attack.mitre.org/techniques/T1176/001/
KQL Detection Query
let BrowserExtensionPaths = dynamic([
"\\Google\\Chrome\\User Data\\",
"\\Microsoft\\Edge\\User Data\\",
"\\BraveSoftware\\Brave-Browser\\User Data\\",
"\\Opera Software\\Opera Stable\\",
"\\Chromium\\User Data\\"
]);
let SuspiciousExtensionWriters = dynamic([
"powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "mshta.exe",
"cscript.exe", "regsvr32.exe", "rundll32.exe", "msiexec.exe",
"certutil.exe", "curl.exe", "wget.exe", "bitsadmin.exe"
]);
// Branch 1: Suspicious process writing to browser extension directories or Preferences files
let Branch1 = DeviceFileEvents
| where Timestamp > ago(24h)
| where FolderPath has_any (BrowserExtensionPaths)
| where FileName in~ ("Preferences", "Secure Preferences", "manifest.json", "background.js", "content_script.js", "inject.js")
or FolderPath has "\\Extensions\\"
| where InitiatingProcessFileName has_any (SuspiciousExtensionWriters)
| extend DetectionBranch = "SuspiciousProcessWritingExtension"
| project Timestamp, DeviceName, AccountName, ActionType, FolderPath, FileName,
InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionBranch;
// Branch 2: Browser Preferences/Secure Preferences modified while browser is NOT running
let Branch2 = DeviceFileEvents
| where Timestamp > ago(24h)
| where FolderPath has_any (BrowserExtensionPaths)
| where FileName in~ ("Preferences", "Secure Preferences")
| where InitiatingProcessFileName !in~ ("chrome.exe", "msedge.exe", "brave.exe", "opera.exe", "chromium.exe")
| where InitiatingProcessFileName !in~ ("explorer.exe", "TextInputHost.exe")
| extend DetectionBranch = "PreferencesModifiedOutsideBrowser"
| project Timestamp, DeviceName, AccountName, ActionType, FolderPath, FileName,
InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionBranch;
// Branch 3: Registry force-install extension policy creation
let Branch3 = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has_any (
"SOFTWARE\\Policies\\Google\\Chrome\\ExtensionInstallForcelist",
"SOFTWARE\\Policies\\Microsoft\\Edge\\ExtensionInstallForcelist",
"SOFTWARE\\Policies\\BraveSoftware\\Brave\\ExtensionInstallForcelist",
"SOFTWARE\\Policies\\Google\\Chrome\\ExtensionInstallAllowlist"
)
| extend DetectionBranch = "RegistryExtensionForceInstall"
| project Timestamp, DeviceName, AccountName, ActionType, RegistryKey, RegistryValueName,
RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionBranch;
// Branch 4: New extension directory created in browser profile
let Branch4 = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType == "DirectoryCreated"
| where FolderPath matches regex @"\\(Google\\Chrome|Microsoft\\Edge|BraveSoftware\\Brave-Browser)\\User Data\\[^\\]+\\Extensions\\[a-p]{32}"
| where InitiatingProcessFileName !in~ ("chrome.exe", "msedge.exe", "brave.exe", "chromium.exe")
| extend DetectionBranch = "NewExtensionDirectoryCreated"
| project Timestamp, DeviceName, AccountName, ActionType, FolderPath,
InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionBranch;
union Branch1, Branch2, Branch3, Branch4
| sort by Timestamp descDetects malicious browser extension installation via four detection branches: (1) suspicious non-browser processes (PowerShell, cmd, scripting engines) writing to browser extension directories or modifying manifest/script files; (2) Preferences or Secure Preferences files modified by a process other than the browser itself, indicating silent background extension injection; (3) Windows Registry extension force-install policy creation that can silently push extensions to all users; (4) new extension ID directories (32-char lowercase hex) created by non-browser processes. Covers Chromium-based browsers including Chrome, Edge, Brave, and Opera. Uses DeviceFileEvents and DeviceRegistryEvents from Microsoft Defender for Endpoint.
Data Sources
Required Tables
False Positives & Tuning
- Enterprise MDM/group policy tools (Intune, SCCM, Workspace ONE) legitimately writing Chrome or Edge extension force-install registry keys for approved extensions like password managers or DLP agents
- Browser auto-update processes or the Google Update service modifying extension directories during legitimate extension updates
- IT deployment scripts using PowerShell to pre-install approved browser extensions during device provisioning (e.g., corporate new-hire imaging)
- Developer workflows where web developers are actively developing and side-loading unpacked extensions in their own browser profiles
- Security tools or endpoint agents that monitor or back up browser profile data and may trigger on file read/write events in extension directories
Other platforms for T1176.001
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Silently Install Chrome Extension via Preferences File Modification
Expected signal: Sysmon Event ID 11: File Create/Modify with TargetFilename ending in '\Google\Chrome\User Data\Default\Preferences', Image=powershell.exe. Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Preferences' and 'ConvertFrom-Json'. DeviceFileEvents (MDE): FolderPath containing 'Google\Chrome\User Data\Default', FileName='Preferences', InitiatingProcessFileName='powershell.exe'.
- Test 2Force-Install Browser Extension via Registry Policy
Expected signal: Sysmon Event ID 13: Registry Value Set with TargetObject containing 'SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist', Details containing the extension ID and update URL, Image=reg.exe. DeviceRegistryEvents (MDE): RegistryKey containing 'ExtensionInstallForcelist', RegistryValueData='nmmhkkegccagdldgiimedpiccmgmieda;...', InitiatingProcessFileName='reg.exe'.
- Test 3Drop Malicious Extension Files to Browser Extension Directory
Expected signal: Sysmon Event ID 11: Multiple File Create events with TargetFilename in '...Chrome\User Data\Default\Extensions\abcdefghijklmnopabcdefghijklmnop\1.0_0\' for manifest.json, background.js, and content.js, all with Image=powershell.exe. Sysmon Event ID 1: PowerShell process create with CommandLine referencing extension directory and manifest content. DeviceFileEvents (MDE): Multiple records with FolderPath containing 'Extensions\abcdefghijklmnopabcdefghijklmnop', InitiatingProcessFileName='powershell.exe'.
- Test 4Enumerate Installed Browser Extensions for Reconnaissance
Expected signal: Sysmon Event ID 1: PowerShell process create with CommandLine referencing 'Extensions' and 'manifest.json'. DeviceFileEvents (MDE): Multiple FileRead events on manifest.json files in extension directories with InitiatingProcessFileName='powershell.exe'. This test generates lower-confidence telemetry (reads, not writes) suitable for hunting queries rather than high-confidence alerting.
- Test 5Install Extension via .CRX File Drop and Chrome Command Line
Expected signal: Sysmon Event ID 1: PowerShell process create writing manifest.json to TEMP directory. If Chrome launch is executed: Sysmon Event ID 1 for chrome.exe with CommandLine containing '--load-extension' pointing to temp directory. DeviceProcessEvents (MDE): chrome.exe launched with non-standard command line arguments including '--load-extension'. DeviceFileEvents: manifest.json created in %TEMP% by powershell.exe.
References (12)
- https://attack.mitre.org/techniques/T1176/001/
- https://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/
- https://developer.chrome.com/extensions
- https://www.icebrg.io/blog/malicious-chrome-extensions-enable-criminals-to-impact-over-half-a-million-users-and-global-businesses
- https://www.xorrior.com/No-Place-Like-Chrome/
- https://isc.sans.edu/forums/diary/CatchAll+Google+Chrome+Malicious+Extension+Steals+All+Posted+Data/22976/
- https://www.proofpoint.com/uk/blog/threat-insight/ta413-leverages-new-friarfox-browser-extension-target-gmail-accounts-global
- https://www.welivesecurity.com/2017/07/20/stantinko-massive-adware-campaign-operating-covertly-since-2012/
- https://www.microsoft.com/en-us/security/blog/2020/12/10/widespread-malware-campaign-seeks-to-silently-inject-ads-into-search-results-affects-multiple-browsers/
- https://learn.microsoft.com/en-us/deployedge/microsoft-edge-manage-extensions-ref-guide
- https://support.google.com/chrome/a/answer/9296680
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md
Unlock Pro Content
Get the full detection package for T1176.001 including response playbook, investigation guide, and atomic red team tests.