Detect Software Extensions in IBM QRadar
Adversaries may abuse software extensions to establish persistent access to victim systems. Software extensions are modular components that enhance or customize the functionality of software applications, including web browsers, Integrated Development Environments (IDEs), and other platforms. Extensions are typically installed via official marketplaces or manually loaded, and they often inherit the permissions and access levels of the host application. Malicious extensions can be introduced through social engineering, compromised marketplaces, or direct installation by adversaries who have already gained system access. Detection is challenging due to the inherent trust placed in extensions and their ability to blend into normal application workflows.
MITRE ATT&CK
- Tactic
- Persistence
- Technique
- T1176 Software Extensions
- Canonical reference
- https://attack.mitre.org/techniques/T1176/
QRadar Detection Query
SELECT
DATEFORMAT(startTime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
"username" AS Username,
"HostName" AS Hostname,
"Image" AS ProcessImage,
"CommandLine" AS CommandLine,
COALESCE("TargetFilename", "TargetObject", "CommandLine") AS ArtifactPath,
CASE
WHEN "EventID" = '11' THEN 'SuspiciousExtensionFileWrite'
WHEN "EventID" IN ('12','13','14') THEN 'ExtensionRegistryForceInstall'
WHEN "EventID" = '1' THEN 'ExtensionCLIInstall'
ELSE 'Unknown'
END AS DetectionType
FROM events
WHERE
LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
AND (
(
"EventID" = '11'
AND (
"TargetFilename" ILIKE '%AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\%'
OR "TargetFilename" ILIKE '%AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Extensions\\%'
OR "TargetFilename" ILIKE '%AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\%\\extensions\\%'
OR "TargetFilename" ILIKE '%\\.vscode\\extensions\\%'
OR "TargetFilename" ILIKE '%AppData\\Roaming\\Code\\extensions\\%'
)
AND (
"TargetFilename" ILIKE '%.crx'
OR "TargetFilename" ILIKE '%.xpi'
OR "TargetFilename" ILIKE '%.vsix'
OR "TargetFilename" ILIKE '%.js'
OR "TargetFilename" ILIKE '%manifest.json'
)
AND NOT (
"Image" ILIKE '%\\chrome.exe'
OR "Image" ILIKE '%\\msedge.exe'
OR "Image" ILIKE '%\\firefox.exe'
OR "Image" ILIKE '%\\Code.exe'
OR "Image" ILIKE '%\\brave.exe'
OR "Image" ILIKE '%\\opera.exe'
OR "Image" ILIKE '%\\MicrosoftEdgeUpdate.exe'
OR "Image" ILIKE '%\\GoogleUpdate.exe'
)
)
OR
(
"EventID" IN ('12','13','14')
AND (
"TargetObject" ILIKE '%ExtensionInstallForcelist%'
OR "TargetObject" ILIKE '%ExtensionInstallAllowlist%'
OR "TargetObject" ILIKE '%ExtensionInstallBlacklist%'
OR (
"TargetObject" ILIKE '%\\Extensions\\%'
AND (
"TargetObject" ILIKE '%\\Chrome\\%'
OR "TargetObject" ILIKE '%\\Edge\\%'
OR "TargetObject" ILIKE '%\\Chromium\\%'
)
)
)
)
OR
(
"EventID" = '1'
AND (
"CommandLine" ILIKE '%--load-extension%'
OR "CommandLine" ILIKE '%--packed-extension%'
OR "CommandLine" ILIKE '%--allow-outdated-plugins%'
OR "CommandLine" ILIKE '%code --install-extension%'
OR "CommandLine" ILIKE '%code-insiders --install-extension%'
OR ("CommandLine" ILIKE '%.vsix%' AND "CommandLine" ILIKE '%install%')
OR (
"CommandLine" ILIKE '%.crx%'
AND ("CommandLine" ILIKE '%chrome%' OR "CommandLine" ILIKE '%edge%' OR "CommandLine" ILIKE '%brave%')
)
)
)
)
AND startTime > NOW() - 86400000
ORDER BY startTime DESCQRadar AQL query detecting T1176 Software Extension abuse from Sysmon event logs. Correlates Sysmon EventID 11 (file create) for suspicious extension file writes to browser/IDE directories, EventIDs 12/13/14 (registry create/set/delete) for forced extension policy manipulation, and EventID 1 (process create) for command-line extension installation. Filters legitimate browser and updater processes to reduce noise.
Data Sources
Required Tables
False Positives & Tuning
- Enterprise MDM or endpoint management tools (Intune, SCCM, Jamf) pushing browser extensions via registry GPO settings will generate ExtensionInstallForcelist matches
- DevOps engineers and QA teams running automated browser testing frameworks (Selenium, Playwright) frequently use --load-extension to load test extensions in CI pipelines
- Software packaging scripts that extract and stage .crx, .xpi, or .vsix files to local directories as part of offline installation bundles will match the file write branch
Other platforms for T1176
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Sideload Unpacked Chrome Extension via Command Line
Expected signal: Sysmon Event ID 1 (ProcessCreate): Image=chrome.exe, CommandLine containing '--load-extension' and '%TEMP%\malext'. Sysmon Event ID 11 (FileCreate): TargetFilename targeting the malext directory with manifest.json created by cmd.exe. DeviceProcessEvents in MDE will show the Chrome launch with --load-extension flag. DeviceFileEvents will show manifest.json creation by cmd.exe.
- Test 2Force Install Browser Extension via Registry Policy
Expected signal: Sysmon Event ID 13 (RegistryValueSet): TargetObject=HKLM\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist\1, Details containing the extension ID. Image=reg.exe. DeviceRegistryEvents in MDE: RegistryKey containing 'ExtensionInstallForcelist', RegistryValueData containing the extension ID and update URL. Security Event ID 4657 (Registry value modified) if object access auditing is enabled.
- Test 3Install Malicious VSCode Extension from .vsix Package
Expected signal: Sysmon Event ID 1 (ProcessCreate): Image=code.exe (or Code.exe), CommandLine containing '--install-extension' and '.vsix'. Sysmon Event ID 11 (FileCreate): Multiple file writes to %USERPROFILE%\.vscode\extensions\test.test-ext-0.0.1\ directory. DeviceProcessEvents and DeviceFileEvents in MDE will show VSCode CLI invocation and extension directory population.
- Test 4Drop Extension Files Directly into Browser Extension Directory
Expected signal: Sysmon Event ID 11 (FileCreate): TargetFilename targeting Chrome Extensions directory with manifest.json and background.js, Image=cmd.exe (not chrome.exe). DeviceFileEvents in MDE: FolderPath containing 'Chrome\User Data\Default\Extensions', FileName=manifest.json and background.js, InitiatingProcessFileName=cmd.exe.
- Test 5Enumerate Installed Extensions for Reconnaissance
Expected signal: Sysmon Event ID 1 (ProcessCreate): Image=powershell.exe, CommandLine referencing Chrome Extensions path and Get-ChildItem/Get-Content operations against manifest.json files. Sysmon Event ID 11 may be absent (read-only operation). DeviceProcessEvents in MDE shows PowerShell reading extension manifests. No file modification events, distinguishing this from installation activity.
References (12)
- https://attack.mitre.org/techniques/T1176/
- https://blog.checkpoint.com/securing-the-cloud/malicious-vscode-extensions-with-more-than-45k-downloads-steal-pii-and-enable-backdoors/
- https://www.xorrior.com/No-Place-Like-Chrome/
- https://web.archive.org/web/20240608001937/https://kjaer.io/extension-malware/
- https://developer.chrome.com/docs/extensions/mv3/manifest/
- https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#extensioninstallforcelist
- https://support.google.com/chrome/a/answer/9032015
- https://code.visualstudio.com/docs/editor/extension-marketplace
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md
- https://www.mandiant.com/resources/blog/malicious-browser-extensions
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceregistryevents-table
Unlock Pro Content
Get the full detection package for T1176 including response playbook, investigation guide, and atomic red team tests.