T1176 Elastic Security · Elastic

Detect Software Extensions in Elastic Security

Adversaries may abuse software extensions to establish persistent access to victim systems. Software extensions are modular components that enhance or customize the functionality of software applications, including web browsers, Integrated Development Environments (IDEs), and other platforms. Extensions are typically installed via official marketplaces or manually loaded, and they often inherit the permissions and access levels of the host application. Malicious extensions can be introduced through social engineering, compromised marketplaces, or direct installation by adversaries who have already gained system access. Detection is challenging due to the inherent trust placed in extensions and their ability to blend into normal application workflows.

MITRE ATT&CK

Tactic
Persistence
Technique
T1176 Software Extensions
Canonical reference
https://attack.mitre.org/techniques/T1176/

Elastic Detection Query

Elastic Security (Elastic)
eql 
any where
  (
    event.category == "file" and event.type in ("creation", "change") and
    (
      file.path : ("*\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\*",
                    "*\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Extensions\\*",
                    "*\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*\\extensions\\*",
                    "*\\.vscode\\extensions\\*",
                    "*\\AppData\\Roaming\\Code\\extensions\\*")
    ) and
    (file.extension in ("crx", "xpi", "vsix", "js") or file.name == "manifest.json") and
    not process.name in~ ("chrome.exe", "msedge.exe", "firefox.exe", "brave.exe", "opera.exe",
                           "Code.exe", "MicrosoftEdgeUpdate.exe", "GoogleUpdate.exe", "chrome_updater.exe")
  )
  or
  (
    event.category == "registry" and
    (
      registry.path : ("*ExtensionInstallForcelist*", "*ExtensionInstallAllowlist*", "*ExtensionInstallBlacklist*") or
      (registry.path : "*\\Extensions\\*" and
       registry.path : ("*\\Chrome\\*", "*\\Edge\\*", "*\\Chromium\\*"))
    )
  )
  or
  (
    event.category == "process" and event.type == "start" and
    (
      process.command_line : ("*--load-extension*", "*--packed-extension*", "*--allow-outdated-plugins*",
                              "*code --install-extension*", "*code-insiders --install-extension*") or
      (process.command_line : "*.vsix*" and process.command_line : "*install*") or
      (process.command_line : "*.crx*" and
       process.command_line : ("*chrome*", "*edge*", "*brave*"))
    )
  )
high severity medium confidence

Detects T1176 Software Extension abuse via three branches using ECS-normalized events: (1) suspicious file writes of .crx/.xpi/.vsix/manifest.json/.js into browser or IDE extension directories by non-browser processes, (2) registry policy modifications forcing extension installation via ExtensionInstallForcelist/Allowlist/Blacklist keys, and (3) command-line invocations of --load-extension, --packed-extension, or code --install-extension arguments. Covers Chrome, Edge, Firefox, Brave, and VS Code extension paths.

Data Sources

Elastic Defend endpoint agentElastic Agent with Windows integrationFilebeat with Sysmon module

Required Tables

logs-endpoint.events.file-*logs-endpoint.events.registry-*logs-endpoint.events.process-*logs-windows.sysmon_operational-*

False Positives & Tuning

  • IT administrators using group policy (GPO) to deploy approved browser extensions via ExtensionInstallForcelist will trigger the registry branch on managed endpoints
  • Developers installing VS Code extensions with 'code --install-extension' or loading unpacked Chrome extensions with --load-extension during development and testing workflows
  • Browser and IDE auto-update mechanisms may write extension files to disk using background updater processes not listed in the allowlist, especially third-party browser variants
Download portable Sigma rule (.yml)

Other platforms for T1176

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Sideload Unpacked Chrome Extension via Command Line

    Expected signal: Sysmon Event ID 1 (ProcessCreate): Image=chrome.exe, CommandLine containing '--load-extension' and '%TEMP%\malext'. Sysmon Event ID 11 (FileCreate): TargetFilename targeting the malext directory with manifest.json created by cmd.exe. DeviceProcessEvents in MDE will show the Chrome launch with --load-extension flag. DeviceFileEvents will show manifest.json creation by cmd.exe.

  2. Test 2Force Install Browser Extension via Registry Policy

    Expected signal: Sysmon Event ID 13 (RegistryValueSet): TargetObject=HKLM\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist\1, Details containing the extension ID. Image=reg.exe. DeviceRegistryEvents in MDE: RegistryKey containing 'ExtensionInstallForcelist', RegistryValueData containing the extension ID and update URL. Security Event ID 4657 (Registry value modified) if object access auditing is enabled.

  3. Test 3Install Malicious VSCode Extension from .vsix Package

    Expected signal: Sysmon Event ID 1 (ProcessCreate): Image=code.exe (or Code.exe), CommandLine containing '--install-extension' and '.vsix'. Sysmon Event ID 11 (FileCreate): Multiple file writes to %USERPROFILE%\.vscode\extensions\test.test-ext-0.0.1\ directory. DeviceProcessEvents and DeviceFileEvents in MDE will show VSCode CLI invocation and extension directory population.

  4. Test 4Drop Extension Files Directly into Browser Extension Directory

    Expected signal: Sysmon Event ID 11 (FileCreate): TargetFilename targeting Chrome Extensions directory with manifest.json and background.js, Image=cmd.exe (not chrome.exe). DeviceFileEvents in MDE: FolderPath containing 'Chrome\User Data\Default\Extensions', FileName=manifest.json and background.js, InitiatingProcessFileName=cmd.exe.

  5. Test 5Enumerate Installed Extensions for Reconnaissance

    Expected signal: Sysmon Event ID 1 (ProcessCreate): Image=powershell.exe, CommandLine referencing Chrome Extensions path and Get-ChildItem/Get-Content operations against manifest.json files. Sysmon Event ID 11 may be absent (read-only operation). DeviceProcessEvents in MDE shows PowerShell reading extension manifests. No file modification events, distinguishing this from installation activity.

Last updated: 2026-04-19 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1176 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (2)

Related Techniques

T1176.001Browser ExtensionsT1176.002IDE ExtensionsT1539Steal Web Session CookieT1185Browser Session HijackingT1552.001Credentials In FilesT1113Screen CaptureT1115Clipboard DataT1071.001Web ProtocolsT1059.007JavaScriptT1566.002Spearphishing LinkT1195.002Compromise Software Supply Chain

Same Tactic: Persistence

Popular Detections