Detect Browser Extensions in Sumo Logic CSE
Adversaries may abuse internet browser extensions to establish persistent access to victim systems. Malicious extensions can be silently installed by modifying Chromium-based browser Preferences or Secure Preferences files while the browser is closed, via Windows Registry extension force-install policies, or through social engineering. Once installed, malicious extensions can steal credentials, cookies, and form data; capture screenshots; exfiltrate data to attacker-controlled servers; or establish command-and-control channels. Threat actors including Kimsuky (TRANSLATEXT), Lumma Stealer, Mispadu, and Grandoreiro have used malicious browser extensions in targeted campaigns.
MITRE ATT&CK
- Tactic
- Persistence
- Technique
- T1176 Software Extensions
- Sub-technique
- T1176.001 Browser Extensions
- Canonical reference
- https://attack.mitre.org/techniques/T1176/001/
Sumo Detection Query
(_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*winlogbeat*)
| where EventCode in ("11", "13")
| where (
EventCode = "11"
AND (
TargetFilename matches "*\\Google\\Chrome\\User Data\\*"
OR TargetFilename matches "*\\Microsoft\\Edge\\User Data\\*"
OR TargetFilename matches "*\\BraveSoftware\\Brave-Browser\\User Data\\*"
OR TargetFilename matches "*\\Opera Software\\Opera Stable\\*"
OR TargetFilename matches "*\\Chromium\\User Data\\*"
)
AND (
TargetFilename matches "*\\Extensions\\*"
OR TargetFilename matches "*Preferences"
OR TargetFilename matches "*Secure Preferences"
OR TargetFilename matches "*manifest.json"
OR TargetFilename matches "*background.js"
OR TargetFilename matches "*content_script.js"
OR TargetFilename matches "*inject.js"
)
)
OR (
EventCode = "13"
AND (
TargetObject matches "*Policies\\Google\\Chrome\\ExtensionInstallForcelist*"
OR TargetObject matches "*Policies\\Microsoft\\Edge\\ExtensionInstallForcelist*"
OR TargetObject matches "*Policies\\BraveSoftware\\Brave\\ExtensionInstallForcelist*"
OR TargetObject matches "*Policies\\Google\\Chrome\\ExtensionInstallAllowlist*"
)
)
| eval SuspiciousWriter = if (
EventCode = "11" AND (
Image matches "*\\powershell.exe" OR Image matches "*\\pwsh.exe" OR
Image matches "*\\cmd.exe" OR Image matches "*\\wscript.exe" OR
Image matches "*\\mshta.exe" OR Image matches "*\\cscript.exe" OR
Image matches "*\\regsvr32.exe" OR Image matches "*\\rundll32.exe" OR
Image matches "*\\msiexec.exe" OR Image matches "*\\certutil.exe" OR
Image matches "*\\curl.exe" OR Image matches "*\\wget.exe" OR
Image matches "*\\bitsadmin.exe"
), 1, 0)
| eval ForceInstallRegistry = if (EventCode = "13", 1, 0)
| eval PreferencesModified = if (
EventCode = "11" AND (
TargetFilename matches "*Preferences" OR TargetFilename matches "*Secure Preferences"
), 1, 0)
| eval ExtensionDirWrite = if (
EventCode = "11" AND TargetFilename matches "*\\Extensions\\*", 1, 0)
| eval SuspicionScore = SuspiciousWriter + ForceInstallRegistry + PreferencesModified + ExtensionDirWrite
| where SuspicionScore >= 1
| eval DetectionBranch = if (ForceInstallRegistry = 1, "ForceInstallRegistry",
if (SuspiciousWriter = 1, "SuspiciousProcessWrite",
if (PreferencesModified = 1, "PreferencesModifiedOutsideBrowser", "ExtensionFileWrite")))
| fields _messageTime, Computer, User, EventCode, Image, CommandLine, TargetFilename, TargetObject, Details, SuspicionScore, DetectionBranch
| sort by _messageTime descDetects malicious browser extension installation using Sysmon telemetry ingested into Sumo Logic. Identifies suspicious writes to Chromium browser extension directories and key preference files (Sysmon EventCode 11) along with registry-based force-install policy creation (Sysmon EventCode 13). Computes a suspicion score based on whether the writing process is a known LOLBin, whether core preference files were modified, whether extension directories were written, or whether a registry forcelist key was created. Maps to MITRE ATT&CK T1176.001.
Data Sources
Required Tables
False Positives & Tuning
- Group Policy-driven browser extension deployment writing ExtensionInstallForcelist registry keys via gpscript.exe or Group Policy client service — validate DetectionBranch=ForceInstallRegistry events against AD change management records; suppress if Image matches %SystemRoot%\System32\gpscript.exe or the Computer matches known GPO management DCs
- Browser installer frameworks (GoogleUpdate.exe, MicrosoftEdgeUpdate.exe) writing extension files as part of factory or enterprise baseline provisioning — verify Image matches expected vendor update binary paths under Program Files and check for corresponding installer parent process
- Endpoint configuration tools such as Puppet or Chef applying browser hardening baselines that write to extension paths — cross-reference CommandLine arguments with expected configuration playbook patterns and correlate with CMDB deployment schedules
Other platforms for T1176.001
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Silently Install Chrome Extension via Preferences File Modification
Expected signal: Sysmon Event ID 11: File Create/Modify with TargetFilename ending in '\Google\Chrome\User Data\Default\Preferences', Image=powershell.exe. Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Preferences' and 'ConvertFrom-Json'. DeviceFileEvents (MDE): FolderPath containing 'Google\Chrome\User Data\Default', FileName='Preferences', InitiatingProcessFileName='powershell.exe'.
- Test 2Force-Install Browser Extension via Registry Policy
Expected signal: Sysmon Event ID 13: Registry Value Set with TargetObject containing 'SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist', Details containing the extension ID and update URL, Image=reg.exe. DeviceRegistryEvents (MDE): RegistryKey containing 'ExtensionInstallForcelist', RegistryValueData='nmmhkkegccagdldgiimedpiccmgmieda;...', InitiatingProcessFileName='reg.exe'.
- Test 3Drop Malicious Extension Files to Browser Extension Directory
Expected signal: Sysmon Event ID 11: Multiple File Create events with TargetFilename in '...Chrome\User Data\Default\Extensions\abcdefghijklmnopabcdefghijklmnop\1.0_0\' for manifest.json, background.js, and content.js, all with Image=powershell.exe. Sysmon Event ID 1: PowerShell process create with CommandLine referencing extension directory and manifest content. DeviceFileEvents (MDE): Multiple records with FolderPath containing 'Extensions\abcdefghijklmnopabcdefghijklmnop', InitiatingProcessFileName='powershell.exe'.
- Test 4Enumerate Installed Browser Extensions for Reconnaissance
Expected signal: Sysmon Event ID 1: PowerShell process create with CommandLine referencing 'Extensions' and 'manifest.json'. DeviceFileEvents (MDE): Multiple FileRead events on manifest.json files in extension directories with InitiatingProcessFileName='powershell.exe'. This test generates lower-confidence telemetry (reads, not writes) suitable for hunting queries rather than high-confidence alerting.
- Test 5Install Extension via .CRX File Drop and Chrome Command Line
Expected signal: Sysmon Event ID 1: PowerShell process create writing manifest.json to TEMP directory. If Chrome launch is executed: Sysmon Event ID 1 for chrome.exe with CommandLine containing '--load-extension' pointing to temp directory. DeviceProcessEvents (MDE): chrome.exe launched with non-standard command line arguments including '--load-extension'. DeviceFileEvents: manifest.json created in %TEMP% by powershell.exe.
References (12)
- https://attack.mitre.org/techniques/T1176/001/
- https://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/
- https://developer.chrome.com/extensions
- https://www.icebrg.io/blog/malicious-chrome-extensions-enable-criminals-to-impact-over-half-a-million-users-and-global-businesses
- https://www.xorrior.com/No-Place-Like-Chrome/
- https://isc.sans.edu/forums/diary/CatchAll+Google+Chrome+Malicious+Extension+Steals+All+Posted+Data/22976/
- https://www.proofpoint.com/uk/blog/threat-insight/ta413-leverages-new-friarfox-browser-extension-target-gmail-accounts-global
- https://www.welivesecurity.com/2017/07/20/stantinko-massive-adware-campaign-operating-covertly-since-2012/
- https://www.microsoft.com/en-us/security/blog/2020/12/10/widespread-malware-campaign-seeks-to-silently-inject-ads-into-search-results-affects-multiple-browsers/
- https://learn.microsoft.com/en-us/deployedge/microsoft-edge-manage-extensions-ref-guide
- https://support.google.com/chrome/a/answer/9296680
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md
Unlock Pro Content
Get the full detection package for T1176.001 including response playbook, investigation guide, and atomic red team tests.