title: Browser Extensions (T1176.001)
id: df00tech-t1176-001
status: experimental
description: "Adversaries may abuse internet browser extensions to establish persistent access to victim systems. Malicious extensions can be silently installed by modifying Chromium-based browser Preferences or Secure Preferences files while the browser is closed, via Windows Registry extension force-install policies, or through social engineering. Once installed, malicious extensions can steal credentials, cookies, and form data; capture screenshots; exfiltrate data to attacker-controlled servers; or establish command-and-control channels. Threat actors including Kimsuky (TRANSLATEXT), Lumma Stealer, Mispadu, and Grandoreiro have used malicious browser extensions in targeted campaigns."
references:
  - https://attack.mitre.org/techniques/T1176/001/
  - https://df00tech.com/detections/T1176.001
author: df00tech
date: 2026/04/19
tags:
  - attack.t1176.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Enterprise MDM/group policy tools (Intune, SCCM, Workspace ONE) legitimately writing Chrome or Edge extension force-install registry keys for approved extensions like password managers or DLP agents"
  - Browser auto-update processes or the Google Update service modifying extension directories during legitimate extension updates
  - "IT deployment scripts using PowerShell to pre-install approved browser extensions during device provisioning (e.g., corporate new-hire imaging)"
  - Developer workflows where web developers are actively developing and side-loading unpacked extensions in their own browser profiles
  - Security tools or endpoint agents that monitor or back up browser profile data and may trigger on file read/write events in extension directories
level: high