T1176.001 Splunk · SPL

Detect Browser Extensions in Splunk

Adversaries may abuse internet browser extensions to establish persistent access to victim systems. Malicious extensions can be silently installed by modifying Chromium-based browser Preferences or Secure Preferences files while the browser is closed, via Windows Registry extension force-install policies, or through social engineering. Once installed, malicious extensions can steal credentials, cookies, and form data; capture screenshots; exfiltrate data to attacker-controlled servers; or establish command-and-control channels. Threat actors including Kimsuky (TRANSLATEXT), Lumma Stealer, Mispadu, and Grandoreiro have used malicious browser extensions in targeted campaigns.

MITRE ATT&CK

Tactic
Persistence
Technique
T1176 Software Extensions
Sub-technique
T1176.001 Browser Extensions
Canonical reference
https://attack.mitre.org/techniques/T1176/001/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog earliest=-24h
(
  (
    sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
    (
      TargetFilename="*\\Google\\Chrome\\User Data\\*"
      OR TargetFilename="*\\Microsoft\\Edge\\User Data\\*"
      OR TargetFilename="*\\BraveSoftware\\Brave-Browser\\User Data\\*"
    )
    (
      TargetFilename="*\\Preferences"
      OR TargetFilename="*\\Secure Preferences"
      OR TargetFilename="*manifest.json"
      OR TargetFilename="*background.js"
      OR TargetFilename="*content_script.js"
      OR TargetFilename="*\\Extensions\\*"
    )
  )
  OR
  (
    sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=13
    (
      TargetObject="*\\Policies\\Google\\Chrome\\ExtensionInstallForcelist*"
      OR TargetObject="*\\Policies\\Microsoft\\Edge\\ExtensionInstallForcelist*"
      OR TargetObject="*\\Policies\\BraveSoftware\\Brave\\ExtensionInstallForcelist*"
      OR TargetObject="*\\Policies\\Google\\Chrome\\ExtensionInstallAllowlist*"
    )
  )
)
| eval EventType=case(
    EventCode=="11", "FileCreate",
    EventCode=="13", "RegistrySetValue",
    true(), "Unknown"
  )
| eval SuspiciousWriter=case(
    EventCode=="11" AND (match(Image, "(?i)(powershell|pwsh|cmd|wscript|mshta|cscript|regsvr32|rundll32|msiexec|certutil|curl|wget|bitsadmin)\.exe")), 1,
    EventCode=="11" AND NOT (match(Image, "(?i)(chrome|msedge|brave|opera|chromium|GoogleUpdate|MicrosoftEdgeUpdate)\.exe")), 1,
    EventCode=="13", 1,
    true(), 0
  )
| eval PreferencesModified=if(EventCode=="11" AND (match(TargetFilename, "(?i)(Preferences|Secure Preferences)$")), 1, 0)
| eval ManifestOrScriptModified=if(EventCode=="11" AND (match(TargetFilename, "(?i)(manifest\.json|background\.js|content_script\.js|inject\.js)$")), 1, 0)
| eval ExtensionDirWrite=if(EventCode=="11" AND match(TargetFilename, "(?i)\\Extensions\\"), 1, 0)
| eval ForceInstallRegistry=if(EventCode=="13", 1, 0)
| eval SuspicionScore=SuspiciousWriter + PreferencesModified + ManifestOrScriptModified + ExtensionDirWrite + ForceInstallRegistry
| where SuspicionScore >= 1
| eval IndicatorSummary=mvjoin(mvfilter(match(mvappend(
    if(PreferencesModified=1, "PreferencesModified", null()),
    if(ManifestOrScriptModified=1, "ManifestOrScriptModified", null()),
    if(ExtensionDirWrite=1, "ExtensionDirWrite", null()),
    if(ForceInstallRegistry=1, "ForceInstallRegistry", null()),
    if(SuspiciousWriter=1, "SuspiciousWriter", null())
  ), ".+")), ", ")
| table _time, host, User, EventType, Image, CommandLine, TargetFilename, TargetObject, Details, SuspicionScore, IndicatorSummary
| sort - _time
high severity medium confidence

Detects malicious browser extension installation using Sysmon Event ID 11 (File Create) and Event ID 13 (Registry Value Set). Flags file writes to Chromium browser extension directories, Preferences/Secure Preferences modifications, and manifest or script file creation by suspicious non-browser processes. Also detects Windows Registry extension force-install policy writes that can silently push extensions to browsers. Assigns a suspicion score based on multiple indicator categories. Covers Chrome, Edge, and Brave on Windows.

Data Sources

File: File CreationWindows Registry: Windows Registry Key ModificationSysmon Event ID 11Sysmon Event ID 13

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Enterprise MDM/group policy tools (Intune, SCCM) legitimately writing extension force-install registry keys for approved enterprise extensions
  • Browser auto-update services (GoogleUpdate, MicrosoftEdgeUpdate) modifying extension files during scheduled updates
  • IT provisioning scripts using PowerShell to deploy approved browser extensions during workstation imaging
  • Web developers side-loading unpacked extensions during development and testing workflows
  • DLP or browser management agents that actively manage or audit browser profile configurations
Download portable Sigma rule (.yml)

Other platforms for T1176.001

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Silently Install Chrome Extension via Preferences File Modification

    Expected signal: Sysmon Event ID 11: File Create/Modify with TargetFilename ending in '\Google\Chrome\User Data\Default\Preferences', Image=powershell.exe. Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Preferences' and 'ConvertFrom-Json'. DeviceFileEvents (MDE): FolderPath containing 'Google\Chrome\User Data\Default', FileName='Preferences', InitiatingProcessFileName='powershell.exe'.

  2. Test 2Force-Install Browser Extension via Registry Policy

    Expected signal: Sysmon Event ID 13: Registry Value Set with TargetObject containing 'SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist', Details containing the extension ID and update URL, Image=reg.exe. DeviceRegistryEvents (MDE): RegistryKey containing 'ExtensionInstallForcelist', RegistryValueData='nmmhkkegccagdldgiimedpiccmgmieda;...', InitiatingProcessFileName='reg.exe'.

  3. Test 3Drop Malicious Extension Files to Browser Extension Directory

    Expected signal: Sysmon Event ID 11: Multiple File Create events with TargetFilename in '...Chrome\User Data\Default\Extensions\abcdefghijklmnopabcdefghijklmnop\1.0_0\' for manifest.json, background.js, and content.js, all with Image=powershell.exe. Sysmon Event ID 1: PowerShell process create with CommandLine referencing extension directory and manifest content. DeviceFileEvents (MDE): Multiple records with FolderPath containing 'Extensions\abcdefghijklmnopabcdefghijklmnop', InitiatingProcessFileName='powershell.exe'.

  4. Test 4Enumerate Installed Browser Extensions for Reconnaissance

    Expected signal: Sysmon Event ID 1: PowerShell process create with CommandLine referencing 'Extensions' and 'manifest.json'. DeviceFileEvents (MDE): Multiple FileRead events on manifest.json files in extension directories with InitiatingProcessFileName='powershell.exe'. This test generates lower-confidence telemetry (reads, not writes) suitable for hunting queries rather than high-confidence alerting.

  5. Test 5Install Extension via .CRX File Drop and Chrome Command Line

    Expected signal: Sysmon Event ID 1: PowerShell process create writing manifest.json to TEMP directory. If Chrome launch is executed: Sysmon Event ID 1 for chrome.exe with CommandLine containing '--load-extension' pointing to temp directory. DeviceProcessEvents (MDE): chrome.exe launched with non-standard command line arguments including '--load-extension'. DeviceFileEvents: manifest.json created in %TEMP% by powershell.exe.

Last updated: 2026-04-19 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1176.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1176Software Extensions

Related Sub-techniques

T1176.002IDE Extensions

Related Techniques

T1176Software ExtensionsT1539Steal Web Session CookieT1555.003Credentials from Web BrowsersT1113Screen CaptureT1056.003Web Portal CaptureT1071.001Web ProtocolsT1074.001Local Data StagingT1059.001PowerShellT1547Boot or Logon Autostart ExecutionT1112Modify Registry

Same Tactic: Persistence

Popular Detections