Detect Software Extensions in Splunk
Adversaries may abuse software extensions to establish persistent access to victim systems. Software extensions are modular components that enhance or customize the functionality of software applications, including web browsers, Integrated Development Environments (IDEs), and other platforms. Extensions are typically installed via official marketplaces or manually loaded, and they often inherit the permissions and access levels of the host application. Malicious extensions can be introduced through social engineering, compromised marketplaces, or direct installation by adversaries who have already gained system access. Detection is challenging due to the inherent trust placed in extensions and their ability to blend into normal application workflows.
MITRE ATT&CK
- Tactic
- Persistence
- Technique
- T1176 Software Extensions
- Canonical reference
- https://attack.mitre.org/techniques/T1176/
SPL Detection Query
index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational")
(
(EventCode=11
(
TargetFilename="*\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\*"
OR TargetFilename="*\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Extensions\\*"
OR TargetFilename="*\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*\\extensions\\*"
OR TargetFilename="*\\.vscode\\extensions\\*"
OR TargetFilename="*\\AppData\\Roaming\\Code\\extensions\\*"
)
(
TargetFilename="*.crx" OR TargetFilename="*.xpi" OR TargetFilename="*.vsix"
OR TargetFilename="*manifest.json" OR TargetFilename="*.js"
)
NOT (Image="*\\chrome.exe" OR Image="*\\msedge.exe" OR Image="*\\firefox.exe"
OR Image="*\\Code.exe" OR Image="*\\brave.exe" OR Image="*\\opera.exe"
OR Image="*\\MicrosoftEdgeUpdate.exe" OR Image="*\\GoogleUpdate.exe")
)
OR
(EventCode IN (12,13,14)
(
TargetObject="*ExtensionInstallForcelist*"
OR TargetObject="*ExtensionInstallAllowlist*"
OR TargetObject="*ExtensionInstallBlacklist*"
OR (TargetObject="*\\Extensions\\*"
AND (TargetObject="*\\Chrome\\*" OR TargetObject="*\\Edge\\*" OR TargetObject="*\\Chromium\\*"))
)
)
OR
(EventCode=1
(
CommandLine="*--load-extension*"
OR CommandLine="*--packed-extension*"
OR CommandLine="*code --install-extension*"
OR CommandLine="*code-insiders --install-extension*"
OR (CommandLine="*.crx*" AND (CommandLine="*chrome*" OR CommandLine="*edge*" OR CommandLine="*brave*"))
OR (CommandLine="*.vsix*" AND CommandLine="*install*")
)
)
)
| eval DetectionType=case(
EventCode=11, "SuspiciousExtensionFileWrite",
EventCode IN (12,13,14), "ExtensionRegistryForceInstall",
EventCode=1, "ExtensionCLIInstall",
true(), "Unknown")
| eval ArtifactPath=coalesce(TargetFilename, TargetObject, CommandLine)
| eval User=coalesce(User, "Unknown")
| table _time, host, User, Image, CommandLine, ArtifactPath, DetectionType, EventCode
| sort - _timeDetects software extension abuse using Sysmon event logs. Three branches: Sysmon Event ID 11 (FileCreate) identifies non-browser processes writing .crx, .xpi, .vsix, manifest.json, or .js files to browser and IDE extension directories; Sysmon Event IDs 12/13/14 (RegistryEvent) detect forced extension installation via policy registry keys (ExtensionInstallForcelist, ExtensionInstallAllowlist); Sysmon Event ID 1 (ProcessCreate) captures extension loading via --load-extension, --packed-extension flags, and CLI install commands for VSCode/Chrome. Results are tagged with a DetectionType field for triage prioritization.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Enterprise software management tools (SCCM, Intune, Workspace ONE) deploying browser extensions via Group Policy or registry-based forced install lists
- Developer workstations with legitimate --load-extension usage during extension development, testing, and debugging workflows
- Security products or SSO agents that manage browser extensions programmatically (e.g., Zscaler, Netskope browser extensions deployed via MDM)
- Automated developer environment setup scripts that install VSCode extensions as part of onboarding or CI/CD bootstrap sequences
- Browser update processes that transiently write to extension directories during version upgrades, triggering file creation events under unexpected parent processes
Other platforms for T1176
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Sideload Unpacked Chrome Extension via Command Line
Expected signal: Sysmon Event ID 1 (ProcessCreate): Image=chrome.exe, CommandLine containing '--load-extension' and '%TEMP%\malext'. Sysmon Event ID 11 (FileCreate): TargetFilename targeting the malext directory with manifest.json created by cmd.exe. DeviceProcessEvents in MDE will show the Chrome launch with --load-extension flag. DeviceFileEvents will show manifest.json creation by cmd.exe.
- Test 2Force Install Browser Extension via Registry Policy
Expected signal: Sysmon Event ID 13 (RegistryValueSet): TargetObject=HKLM\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist\1, Details containing the extension ID. Image=reg.exe. DeviceRegistryEvents in MDE: RegistryKey containing 'ExtensionInstallForcelist', RegistryValueData containing the extension ID and update URL. Security Event ID 4657 (Registry value modified) if object access auditing is enabled.
- Test 3Install Malicious VSCode Extension from .vsix Package
Expected signal: Sysmon Event ID 1 (ProcessCreate): Image=code.exe (or Code.exe), CommandLine containing '--install-extension' and '.vsix'. Sysmon Event ID 11 (FileCreate): Multiple file writes to %USERPROFILE%\.vscode\extensions\test.test-ext-0.0.1\ directory. DeviceProcessEvents and DeviceFileEvents in MDE will show VSCode CLI invocation and extension directory population.
- Test 4Drop Extension Files Directly into Browser Extension Directory
Expected signal: Sysmon Event ID 11 (FileCreate): TargetFilename targeting Chrome Extensions directory with manifest.json and background.js, Image=cmd.exe (not chrome.exe). DeviceFileEvents in MDE: FolderPath containing 'Chrome\User Data\Default\Extensions', FileName=manifest.json and background.js, InitiatingProcessFileName=cmd.exe.
- Test 5Enumerate Installed Extensions for Reconnaissance
Expected signal: Sysmon Event ID 1 (ProcessCreate): Image=powershell.exe, CommandLine referencing Chrome Extensions path and Get-ChildItem/Get-Content operations against manifest.json files. Sysmon Event ID 11 may be absent (read-only operation). DeviceProcessEvents in MDE shows PowerShell reading extension manifests. No file modification events, distinguishing this from installation activity.
References (12)
- https://attack.mitre.org/techniques/T1176/
- https://blog.checkpoint.com/securing-the-cloud/malicious-vscode-extensions-with-more-than-45k-downloads-steal-pii-and-enable-backdoors/
- https://www.xorrior.com/No-Place-Like-Chrome/
- https://web.archive.org/web/20240608001937/https://kjaer.io/extension-malware/
- https://developer.chrome.com/docs/extensions/mv3/manifest/
- https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#extensioninstallforcelist
- https://support.google.com/chrome/a/answer/9032015
- https://code.visualstudio.com/docs/editor/extension-marketplace
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md
- https://www.mandiant.com/resources/blog/malicious-browser-extensions
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceregistryevents-table
Unlock Pro Content
Get the full detection package for T1176 including response playbook, investigation guide, and atomic red team tests.