T1176 CrowdStrike LogScale · LogScale

Detect Software Extensions in CrowdStrike LogScale

Adversaries may abuse software extensions to establish persistent access to victim systems. Software extensions are modular components that enhance or customize the functionality of software applications, including web browsers, Integrated Development Environments (IDEs), and other platforms. Extensions are typically installed via official marketplaces or manually loaded, and they often inherit the permissions and access levels of the host application. Malicious extensions can be introduced through social engineering, compromised marketplaces, or direct installation by adversaries who have already gained system access. Detection is challenging due to the inherent trust placed in extensions and their ability to blend into normal application workflows.

MITRE ATT&CK

Tactic
Persistence
Technique
T1176 Software Extensions
Canonical reference
https://attack.mitre.org/techniques/T1176/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName in ["PeFileWritten", "AsepValueUpdate", "RegKeyUpdate", "ProcessRollup2"]
| case {
    #event_simpleName = "PeFileWritten"
      | test(TargetFileName = /(?i)(AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\|AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Extensions\\|AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\.*extensions\\|\.vscode\\extensions\\|AppData\\Roaming\\Code\\extensions\\)/)
      | test(TargetFileName = /(?i)\.(crx|xpi|vsix|js)$|manifest\.json$/)
      | test(ImageFileName != /(?i)(chrome\.exe|msedge\.exe|firefox\.exe|Code\.exe|brave\.exe|opera\.exe|MicrosoftEdgeUpdate\.exe|GoogleUpdate\.exe|chrome_updater\.exe)$/)
      | DetectionType := "SuspiciousExtensionFileWrite"
      | ArtifactPath := TargetFileName ;

    #event_simpleName in ["AsepValueUpdate", "RegKeyUpdate"]
      | test(RegObjectName = /(?i)(ExtensionInstallForcelist|ExtensionInstallAllowlist|ExtensionInstallBlacklist)|(\\Extensions\\.*\\(Chrome|Edge|Chromium)\\)/)
      | DetectionType := "ExtensionRegistryForceInstall"
      | ArtifactPath := RegObjectName ;

    #event_simpleName = "ProcessRollup2"
      | test(CommandLine = /(?i)(--load-extension|--packed-extension|--allow-outdated-plugins|code(-insiders)?\s+--install-extension)|(\.crx.*chrome|\.crx.*edge|\.crx.*brave|\.vsix.*install)/)
      | DetectionType := "ExtensionCLIInstall"
      | ArtifactPath := CommandLine ;

    * | drop()
  }
| table([_time, ComputerName, UserName, ImageFileName, CommandLine, ArtifactPath, DetectionType])
| sort(field=_time, order=desc)
high severity medium confidence

CrowdStrike LogScale CQL query detecting T1176 Software Extension abuse using Falcon sensor telemetry. Uses a case-based dispatch over three Falcon event types: PeFileWritten for suspicious extension file drops (.crx/.xpi/.vsix/manifest.json/.js) into browser or IDE extension directories by non-browser processes; AsepValueUpdate/RegKeyUpdate for registry persistence via ExtensionInstallForcelist and related policy keys; and ProcessRollup2 for command-line extension installation flags (--load-extension, code --install-extension) or inline .crx/.vsix references.

Data Sources

CrowdStrike Falcon sensor (full EDR telemetry)Falcon Data Replicator or Humio/LogScale ingestion pipeline

Required Tables

PeFileWritten Falcon eventsAsepValueUpdate Falcon eventsRegKeyUpdate Falcon eventsProcessRollup2 Falcon events

False Positives & Tuning

  • CrowdStrike Falcon itself or other endpoint agents may write files to monitored extension paths during telemetry collection or extension enumeration scans, triggering false PeFileWritten matches
  • Software developers using VS Code Remote extensions or Dev Containers that automatically sync and install extensions to .vscode-server paths on remote hosts via automated tooling
  • Corporate browser provisioning scripts that stage pre-approved .crx packages locally and install them using Chrome command-line flags as part of a standardized onboarding image build
Download portable Sigma rule (.yml)

Other platforms for T1176

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Sideload Unpacked Chrome Extension via Command Line

    Expected signal: Sysmon Event ID 1 (ProcessCreate): Image=chrome.exe, CommandLine containing '--load-extension' and '%TEMP%\malext'. Sysmon Event ID 11 (FileCreate): TargetFilename targeting the malext directory with manifest.json created by cmd.exe. DeviceProcessEvents in MDE will show the Chrome launch with --load-extension flag. DeviceFileEvents will show manifest.json creation by cmd.exe.

  2. Test 2Force Install Browser Extension via Registry Policy

    Expected signal: Sysmon Event ID 13 (RegistryValueSet): TargetObject=HKLM\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist\1, Details containing the extension ID. Image=reg.exe. DeviceRegistryEvents in MDE: RegistryKey containing 'ExtensionInstallForcelist', RegistryValueData containing the extension ID and update URL. Security Event ID 4657 (Registry value modified) if object access auditing is enabled.

  3. Test 3Install Malicious VSCode Extension from .vsix Package

    Expected signal: Sysmon Event ID 1 (ProcessCreate): Image=code.exe (or Code.exe), CommandLine containing '--install-extension' and '.vsix'. Sysmon Event ID 11 (FileCreate): Multiple file writes to %USERPROFILE%\.vscode\extensions\test.test-ext-0.0.1\ directory. DeviceProcessEvents and DeviceFileEvents in MDE will show VSCode CLI invocation and extension directory population.

  4. Test 4Drop Extension Files Directly into Browser Extension Directory

    Expected signal: Sysmon Event ID 11 (FileCreate): TargetFilename targeting Chrome Extensions directory with manifest.json and background.js, Image=cmd.exe (not chrome.exe). DeviceFileEvents in MDE: FolderPath containing 'Chrome\User Data\Default\Extensions', FileName=manifest.json and background.js, InitiatingProcessFileName=cmd.exe.

  5. Test 5Enumerate Installed Extensions for Reconnaissance

    Expected signal: Sysmon Event ID 1 (ProcessCreate): Image=powershell.exe, CommandLine referencing Chrome Extensions path and Get-ChildItem/Get-Content operations against manifest.json files. Sysmon Event ID 11 may be absent (read-only operation). DeviceProcessEvents in MDE shows PowerShell reading extension manifests. No file modification events, distinguishing this from installation activity.

Last updated: 2026-04-19 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1176 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (2)

Related Techniques

T1176.001Browser ExtensionsT1176.002IDE ExtensionsT1539Steal Web Session CookieT1185Browser Session HijackingT1552.001Credentials In FilesT1113Screen CaptureT1115Clipboard DataT1071.001Web ProtocolsT1059.007JavaScriptT1566.002Spearphishing LinkT1195.002Compromise Software Supply Chain

Same Tactic: Persistence

Popular Detections