T1176 Google Chronicle · YARA-L

Detect Software Extensions in Google Chronicle

Adversaries may abuse software extensions to establish persistent access to victim systems. Software extensions are modular components that enhance or customize the functionality of software applications, including web browsers, Integrated Development Environments (IDEs), and other platforms. Extensions are typically installed via official marketplaces or manually loaded, and they often inherit the permissions and access levels of the host application. Malicious extensions can be introduced through social engineering, compromised marketplaces, or direct installation by adversaries who have already gained system access. Detection is challenging due to the inherent trust placed in extensions and their ability to blend into normal application workflows.

MITRE ATT&CK

Tactic
Persistence
Technique
T1176 Software Extensions
Canonical reference
https://attack.mitre.org/techniques/T1176/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1176_software_extension_abuse {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1176 Software Extension abuse: suspicious file writes to browser/IDE extension directories, registry forced-install policy modification, and CLI-based extension loading or installation"
    mitre_attack_technique = "T1176"
    mitre_attack_tactic = "Persistence"
    severity = "HIGH"
    confidence = "MEDIUM"
    created = "2026-04-19"

  events:
    (
      // Branch 1: Suspicious file creation in browser or IDE extension directories
      $e.metadata.event_type = "FILE_CREATION"
      and (
        re.regex($e.target.file.full_path, `(?i)AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\`)
        or re.regex($e.target.file.full_path, `(?i)AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Extensions\\`)
        or re.regex($e.target.file.full_path, `(?i)AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\.*\\extensions\\`)
        or re.regex($e.target.file.full_path, `(?i)\.vscode\\extensions\\`)
        or re.regex($e.target.file.full_path, `(?i)AppData\\Roaming\\Code\\extensions\\`)
      )
      and (
        re.regex($e.target.file.full_path, `(?i)\.(crx|xpi|vsix|js)$`)
        or re.regex($e.target.file.full_path, `(?i)manifest\.json$`)
      )
      and not re.regex($e.principal.process.file.full_path, `(?i)(chrome\.exe|msedge\.exe|firefox\.exe|Code\.exe|brave\.exe|opera\.exe|MicrosoftEdgeUpdate\.exe|GoogleUpdate\.exe|chrome_updater\.exe)$`)
    )
    or
    (
      // Branch 2: Registry modification for forced extension installation policy
      $e.metadata.event_type = "REGISTRY_MODIFICATION"
      and (
        re.regex($e.target.registry.registry_key, `(?i)ExtensionInstallForcelist`)
        or re.regex($e.target.registry.registry_key, `(?i)ExtensionInstallAllowlist`)
        or re.regex($e.target.registry.registry_key, `(?i)ExtensionInstallBlacklist`)
        or (
          re.regex($e.target.registry.registry_key, `(?i)\\Extensions\\.`)
          and (
            re.regex($e.target.registry.registry_key, `(?i)\\Chrome\\`)
            or re.regex($e.target.registry.registry_key, `(?i)\\Edge\\`)
            or re.regex($e.target.registry.registry_key, `(?i)\\Chromium\\`)
          )
        )
      )
    )
    or
    (
      // Branch 3: CLI-based extension installation or loading
      $e.metadata.event_type = "PROCESS_LAUNCH"
      and (
        re.regex($e.target.process.command_line, `(?i)(--load-extension|--packed-extension|--allow-outdated-plugins)`)
        or re.regex($e.target.process.command_line, `(?i)code(-insiders)?\s+--install-extension`)
        or (
          re.regex($e.target.process.command_line, `(?i)\.vsix`)
          and re.regex($e.target.process.command_line, `(?i)install`)
        )
        or (
          re.regex($e.target.process.command_line, `(?i)\.crx`)
          and re.regex($e.target.process.command_line, `(?i)(chrome|edge|brave)`)
        )
      )
    )

  condition:
    $e
}
high severity medium confidence

Chronicle YARA-L 2.0 rule detecting T1176 Software Extension abuse across three UDM event types. FILE_CREATION events targeting browser and IDE extension directories for .crx/.xpi/.vsix/manifest.json/.js files by non-browser processes; REGISTRY_MODIFICATION events writing to ExtensionInstallForcelist, ExtensionInstallAllowlist, or ExtensionInstallBlacklist policy keys; and PROCESS_LAUNCH events with extension-loading command-line flags or VS Code extension installation arguments.

Data Sources

Google Chronicle with Google Security Operations ingestionWindows endpoint telemetry forwarded via Chronicle forwarderSysmon or EDR events normalized to UDM

Required Tables

UDM events (FILE_CREATION, REGISTRY_MODIFICATION, PROCESS_LAUNCH event types)

False Positives & Tuning

  • Enterprise browser management platforms (Google Workspace Admin, Microsoft Intune) configuring ExtensionInstallForcelist via GPO on managed corporate devices will generate high-volume registry branch alerts
  • Developer workstations running browser automation or web scraping tools that load unpacked extensions with --load-extension as part of normal test harness execution
  • Extension packaging pipelines that copy built .crx or .vsix artifacts into local extension directories during build and release processes before publishing to marketplaces
Download portable Sigma rule (.yml)

Other platforms for T1176

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Sideload Unpacked Chrome Extension via Command Line

    Expected signal: Sysmon Event ID 1 (ProcessCreate): Image=chrome.exe, CommandLine containing '--load-extension' and '%TEMP%\malext'. Sysmon Event ID 11 (FileCreate): TargetFilename targeting the malext directory with manifest.json created by cmd.exe. DeviceProcessEvents in MDE will show the Chrome launch with --load-extension flag. DeviceFileEvents will show manifest.json creation by cmd.exe.

  2. Test 2Force Install Browser Extension via Registry Policy

    Expected signal: Sysmon Event ID 13 (RegistryValueSet): TargetObject=HKLM\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist\1, Details containing the extension ID. Image=reg.exe. DeviceRegistryEvents in MDE: RegistryKey containing 'ExtensionInstallForcelist', RegistryValueData containing the extension ID and update URL. Security Event ID 4657 (Registry value modified) if object access auditing is enabled.

  3. Test 3Install Malicious VSCode Extension from .vsix Package

    Expected signal: Sysmon Event ID 1 (ProcessCreate): Image=code.exe (or Code.exe), CommandLine containing '--install-extension' and '.vsix'. Sysmon Event ID 11 (FileCreate): Multiple file writes to %USERPROFILE%\.vscode\extensions\test.test-ext-0.0.1\ directory. DeviceProcessEvents and DeviceFileEvents in MDE will show VSCode CLI invocation and extension directory population.

  4. Test 4Drop Extension Files Directly into Browser Extension Directory

    Expected signal: Sysmon Event ID 11 (FileCreate): TargetFilename targeting Chrome Extensions directory with manifest.json and background.js, Image=cmd.exe (not chrome.exe). DeviceFileEvents in MDE: FolderPath containing 'Chrome\User Data\Default\Extensions', FileName=manifest.json and background.js, InitiatingProcessFileName=cmd.exe.

  5. Test 5Enumerate Installed Extensions for Reconnaissance

    Expected signal: Sysmon Event ID 1 (ProcessCreate): Image=powershell.exe, CommandLine referencing Chrome Extensions path and Get-ChildItem/Get-Content operations against manifest.json files. Sysmon Event ID 11 may be absent (read-only operation). DeviceProcessEvents in MDE shows PowerShell reading extension manifests. No file modification events, distinguishing this from installation activity.

Last updated: 2026-04-19 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1176 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (2)

Related Techniques

T1176.001Browser ExtensionsT1176.002IDE ExtensionsT1539Steal Web Session CookieT1185Browser Session HijackingT1552.001Credentials In FilesT1113Screen CaptureT1115Clipboard DataT1071.001Web ProtocolsT1059.007JavaScriptT1566.002Spearphishing LinkT1195.002Compromise Software Supply Chain

Same Tactic: Persistence

Popular Detections