Detect Software Extensions in Sumo Logic CSE
Adversaries may abuse software extensions to establish persistent access to victim systems. Software extensions are modular components that enhance or customize the functionality of software applications, including web browsers, Integrated Development Environments (IDEs), and other platforms. Extensions are typically installed via official marketplaces or manually loaded, and they often inherit the permissions and access levels of the host application. Malicious extensions can be introduced through social engineering, compromised marketplaces, or direct installation by adversaries who have already gained system access. Detection is challenging due to the inherent trust placed in extensions and their ability to blend into normal application workflows.
MITRE ATT&CK
- Tactic
- Persistence
- Technique
- T1176 Software Extensions
- Canonical reference
- https://attack.mitre.org/techniques/T1176/
Sumo Detection Query
_sourceCategory=*windows*sysmon* OR _sourceCategory=*sysmon*
| parse "<EventID>*</EventID>" as EventID nodrop
| parse "<TargetFilename>*</TargetFilename>" as TargetFilename nodrop
| parse "<TargetObject>*</TargetObject>" as TargetObject nodrop
| parse "<CommandLine>*</CommandLine>" as CommandLine nodrop
| parse "<Image>*</Image>" as Image nodrop
| parse "<Computer>*</Computer>" as Computer nodrop
| parse "<User>*</User>" as User nodrop
| where
(
EventID = "11"
and (
TargetFilename matches "*AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions*"
or TargetFilename matches "*AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Extensions*"
or TargetFilename matches "*AppData\\Roaming\\Mozilla\\Firefox\\Profiles*"
or TargetFilename matches "*.vscode\\extensions*"
or TargetFilename matches "*AppData\\Roaming\\Code\\extensions*"
)
and (
TargetFilename matches "*.crx"
or TargetFilename matches "*.xpi"
or TargetFilename matches "*.vsix"
or TargetFilename matches "*.js"
or TargetFilename matches "*manifest.json"
)
and not (
Image matches "*\\chrome.exe"
or Image matches "*\\msedge.exe"
or Image matches "*\\firefox.exe"
or Image matches "*\\Code.exe"
or Image matches "*\\brave.exe"
or Image matches "*\\MicrosoftEdgeUpdate.exe"
or Image matches "*\\GoogleUpdate.exe"
)
)
or (
EventID in ("12", "13", "14")
and (
TargetObject matches "*ExtensionInstallForcelist*"
or TargetObject matches "*ExtensionInstallAllowlist*"
or TargetObject matches "*ExtensionInstallBlacklist*"
or (
TargetObject matches "*\\Extensions\\*"
and (
TargetObject matches "*\\Chrome\\*"
or TargetObject matches "*\\Edge\\*"
or TargetObject matches "*\\Chromium\\*"
)
)
)
)
or (
EventID = "1"
and (
CommandLine matches "*--load-extension*"
or CommandLine matches "*--packed-extension*"
or CommandLine matches "*--allow-outdated-plugins*"
or CommandLine matches "*code --install-extension*"
or CommandLine matches "*code-insiders --install-extension*"
or (CommandLine matches "*.vsix*" and CommandLine matches "*install*")
or (
CommandLine matches "*.crx*"
and (CommandLine matches "*chrome*" or CommandLine matches "*edge*" or CommandLine matches "*brave*")
)
)
)
| eval DetectionType = if(EventID = "11", "SuspiciousExtensionFileWrite",
if(EventID in ("12", "13", "14"), "ExtensionRegistryForceInstall",
if(EventID = "1", "ExtensionCLIInstall", "Unknown")))
| eval ArtifactPath = if(EventID = "11", TargetFilename,
if(EventID in ("12", "13", "14"), TargetObject, CommandLine))
| fields _messageTime, Computer, User, Image, CommandLine, ArtifactPath, DetectionType, EventID
| sort by _messageTime descSumo Logic search detecting T1176 Software Extension abuse by parsing Sysmon XML event data from Windows endpoints. Identifies three attack vectors: suspicious extension file writes (Sysmon EID 11) to Chrome, Edge, Firefox, and VS Code extension directories excluding legitimate browser processes; registry policy manipulation (Sysmon EID 12/13/14) targeting ExtensionInstallForcelist and related keys; and command-line extension loading or installation (Sysmon EID 1) via browser flags or VS Code CLI.
Data Sources
Required Tables
False Positives & Tuning
- Helpdesk teams or system administrators manually installing approved browser extensions on user machines via command-line scripting for standardized deployment
- Security research or malware analysis workstations that intentionally load unpacked browser extensions or test .crx/.xpi packages as part of threat analysis workflows
- Application whitelisting or endpoint management agents that legitimately read or write extension metadata files during inventory or compliance scanning operations
Other platforms for T1176
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Sideload Unpacked Chrome Extension via Command Line
Expected signal: Sysmon Event ID 1 (ProcessCreate): Image=chrome.exe, CommandLine containing '--load-extension' and '%TEMP%\malext'. Sysmon Event ID 11 (FileCreate): TargetFilename targeting the malext directory with manifest.json created by cmd.exe. DeviceProcessEvents in MDE will show the Chrome launch with --load-extension flag. DeviceFileEvents will show manifest.json creation by cmd.exe.
- Test 2Force Install Browser Extension via Registry Policy
Expected signal: Sysmon Event ID 13 (RegistryValueSet): TargetObject=HKLM\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist\1, Details containing the extension ID. Image=reg.exe. DeviceRegistryEvents in MDE: RegistryKey containing 'ExtensionInstallForcelist', RegistryValueData containing the extension ID and update URL. Security Event ID 4657 (Registry value modified) if object access auditing is enabled.
- Test 3Install Malicious VSCode Extension from .vsix Package
Expected signal: Sysmon Event ID 1 (ProcessCreate): Image=code.exe (or Code.exe), CommandLine containing '--install-extension' and '.vsix'. Sysmon Event ID 11 (FileCreate): Multiple file writes to %USERPROFILE%\.vscode\extensions\test.test-ext-0.0.1\ directory. DeviceProcessEvents and DeviceFileEvents in MDE will show VSCode CLI invocation and extension directory population.
- Test 4Drop Extension Files Directly into Browser Extension Directory
Expected signal: Sysmon Event ID 11 (FileCreate): TargetFilename targeting Chrome Extensions directory with manifest.json and background.js, Image=cmd.exe (not chrome.exe). DeviceFileEvents in MDE: FolderPath containing 'Chrome\User Data\Default\Extensions', FileName=manifest.json and background.js, InitiatingProcessFileName=cmd.exe.
- Test 5Enumerate Installed Extensions for Reconnaissance
Expected signal: Sysmon Event ID 1 (ProcessCreate): Image=powershell.exe, CommandLine referencing Chrome Extensions path and Get-ChildItem/Get-Content operations against manifest.json files. Sysmon Event ID 11 may be absent (read-only operation). DeviceProcessEvents in MDE shows PowerShell reading extension manifests. No file modification events, distinguishing this from installation activity.
References (12)
- https://attack.mitre.org/techniques/T1176/
- https://blog.checkpoint.com/securing-the-cloud/malicious-vscode-extensions-with-more-than-45k-downloads-steal-pii-and-enable-backdoors/
- https://www.xorrior.com/No-Place-Like-Chrome/
- https://web.archive.org/web/20240608001937/https://kjaer.io/extension-malware/
- https://developer.chrome.com/docs/extensions/mv3/manifest/
- https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#extensioninstallforcelist
- https://support.google.com/chrome/a/answer/9032015
- https://code.visualstudio.com/docs/editor/extension-marketplace
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md
- https://www.mandiant.com/resources/blog/malicious-browser-extensions
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceregistryevents-table
Unlock Pro Content
Get the full detection package for T1176 including response playbook, investigation guide, and atomic red team tests.