T1176 Microsoft Sentinel · KQL

Detect Software Extensions in Microsoft Sentinel

Adversaries may abuse software extensions to establish persistent access to victim systems. Software extensions are modular components that enhance or customize the functionality of software applications, including web browsers, Integrated Development Environments (IDEs), and other platforms. Extensions are typically installed via official marketplaces or manually loaded, and they often inherit the permissions and access levels of the host application. Malicious extensions can be introduced through social engineering, compromised marketplaces, or direct installation by adversaries who have already gained system access. Detection is challenging due to the inherent trust placed in extensions and their ability to blend into normal application workflows.

MITRE ATT&CK

Tactic
Persistence
Technique
T1176 Software Extensions
Canonical reference
https://attack.mitre.org/techniques/T1176/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let BrowserExtPaths = dynamic([
  "\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\",
  "\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Extensions\\",
  "\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\",
  "\\AppData\\Local\\BraveSoftware\\Brave-Browser\\User Data\\Default\\Extensions\\"
]);
let IDEExtPaths = dynamic([
  "\\.vscode\\extensions\\",
  "\\AppData\\Roaming\\Code\\extensions\\",
  "\\.vscode-server\\extensions\\"
]);
let SuspiciousExtCommands = dynamic([
  "--load-extension",
  "--packed-extension",
  "--allow-outdated-plugins",
  "code --install-extension",
  "code-insiders --install-extension",
  ".crx",
  ".xpi",
  ".vsix"
]);
let LegitBrowserProcs = dynamic(["chrome.exe", "msedge.exe", "firefox.exe", "brave.exe", "opera.exe", "iexplore.exe"]);
let LegitIDEProcs = dynamic(["Code.exe", "code", "Code - Insiders.exe", "idea64.exe", "pycharm64.exe"]);
// Branch 1: Suspicious file writes into browser or IDE extension directories
let ExtFileCreation = DeviceFileEvents
| where Timestamp > ago(24h)
| where (FolderPath has_any (BrowserExtPaths) or FolderPath has_any (IDEExtPaths))
| where FileName endswith ".crx" or FileName endswith ".xpi" or FileName endswith ".vsix"
    or FileName =~ "manifest.json" or FileName endswith ".js" or FileName endswith ".dll"
| where InitiatingProcessFileName !in~ (LegitBrowserProcs)
    and InitiatingProcessFileName !in~ (LegitIDEProcs)
    and InitiatingProcessFileName !in~ ("chrome_updater.exe", "MicrosoftEdgeUpdate.exe", "GoogleUpdate.exe")
| extend DetectionType = "SuspiciousExtensionFileWrite"
| project Timestamp, DeviceName, AccountName, FolderPath, FileName,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Branch 2: Registry-based forced extension installation
let ExtRegistryMod = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has "ExtensionInstallForcelist"
    or RegistryKey has "ExtensionInstallAllowlist"
    or (RegistryKey has "\\Extensions\\" and RegistryKey has_any ("\\Chrome\\", "\\Edge\\", "\\Chromium\\"))
    or RegistryKey has "ExtensionInstallBlacklist"
| extend DetectionType = "ExtensionRegistryForceInstall"
| project Timestamp, DeviceName, AccountName, RegistryKey, RegistryValueName, RegistryValueData,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Branch 3: Command-line extension installation or loading
let ExtCmdInstall = DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (SuspiciousExtCommands)
    or (ProcessCommandLine has "--load-extension" and InitiatingProcessFileName !in~ (LegitBrowserProcs))
    or (ProcessCommandLine has ".vsix" and ProcessCommandLine has_any ("install", "--install-extension"))
| extend DetectionType = "ExtensionCLIInstall"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
ExtFileCreation
| union ExtRegistryMod
| union ExtCmdInstall
| sort by Timestamp desc
medium severity medium confidence

Detects suspicious software extension installation and modification across browsers and IDEs using Microsoft Defender for Endpoint tables. Three detection branches: (1) DeviceFileEvents monitors file writes to browser and IDE extension directories by non-browser processes, targeting .crx, .xpi, .vsix, manifest.json, and .js files; (2) DeviceRegistryEvents monitors policy-based forced extension installation via ExtensionInstallForcelist and related registry keys; (3) DeviceProcessEvents monitors command-line extension loading via --load-extension, --packed-extension, and CLI install flags. Legitimate browser/updater processes are excluded to reduce noise.

Data Sources

File: File CreationWindows Registry: Windows Registry Key ModificationProcess: Process CreationCommand: Command ExecutionMicrosoft Defender for Endpoint

Required Tables

DeviceFileEventsDeviceRegistryEventsDeviceProcessEvents

False Positives & Tuning

  • Enterprise IT software packaging tools (SCCM, Intune) that deploy browser extensions as part of managed device configuration
  • Developer workstations where engineers legitimately install unpacked or sideloaded extensions using --load-extension for development and testing purposes
  • Security tools or browser management platforms (e.g., Ivanti, Workspace ONE) that configure forced extension installs via Group Policy or registry for enterprise DLP or SSO extensions
  • Automated build pipelines that install VSCode extensions as part of developer environment bootstrapping scripts
  • Legitimate extension marketplace update mechanisms that briefly trigger file writes to extension directories under unusual parent processes during background update checks
Download portable Sigma rule (.yml)

Other platforms for T1176

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Sideload Unpacked Chrome Extension via Command Line

    Expected signal: Sysmon Event ID 1 (ProcessCreate): Image=chrome.exe, CommandLine containing '--load-extension' and '%TEMP%\malext'. Sysmon Event ID 11 (FileCreate): TargetFilename targeting the malext directory with manifest.json created by cmd.exe. DeviceProcessEvents in MDE will show the Chrome launch with --load-extension flag. DeviceFileEvents will show manifest.json creation by cmd.exe.

  2. Test 2Force Install Browser Extension via Registry Policy

    Expected signal: Sysmon Event ID 13 (RegistryValueSet): TargetObject=HKLM\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist\1, Details containing the extension ID. Image=reg.exe. DeviceRegistryEvents in MDE: RegistryKey containing 'ExtensionInstallForcelist', RegistryValueData containing the extension ID and update URL. Security Event ID 4657 (Registry value modified) if object access auditing is enabled.

  3. Test 3Install Malicious VSCode Extension from .vsix Package

    Expected signal: Sysmon Event ID 1 (ProcessCreate): Image=code.exe (or Code.exe), CommandLine containing '--install-extension' and '.vsix'. Sysmon Event ID 11 (FileCreate): Multiple file writes to %USERPROFILE%\.vscode\extensions\test.test-ext-0.0.1\ directory. DeviceProcessEvents and DeviceFileEvents in MDE will show VSCode CLI invocation and extension directory population.

  4. Test 4Drop Extension Files Directly into Browser Extension Directory

    Expected signal: Sysmon Event ID 11 (FileCreate): TargetFilename targeting Chrome Extensions directory with manifest.json and background.js, Image=cmd.exe (not chrome.exe). DeviceFileEvents in MDE: FolderPath containing 'Chrome\User Data\Default\Extensions', FileName=manifest.json and background.js, InitiatingProcessFileName=cmd.exe.

  5. Test 5Enumerate Installed Extensions for Reconnaissance

    Expected signal: Sysmon Event ID 1 (ProcessCreate): Image=powershell.exe, CommandLine referencing Chrome Extensions path and Get-ChildItem/Get-Content operations against manifest.json files. Sysmon Event ID 11 may be absent (read-only operation). DeviceProcessEvents in MDE shows PowerShell reading extension manifests. No file modification events, distinguishing this from installation activity.

Last updated: 2026-04-19 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1176 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (2)

Related Techniques

T1176.001Browser ExtensionsT1176.002IDE ExtensionsT1539Steal Web Session CookieT1185Browser Session HijackingT1552.001Credentials In FilesT1113Screen CaptureT1115Clipboard DataT1071.001Web ProtocolsT1059.007JavaScriptT1566.002Spearphishing LinkT1195.002Compromise Software Supply Chain

Same Tactic: Persistence

Popular Detections