title: Software Extensions (T1176)
id: df00tech-t1176
status: experimental
description: "Adversaries may abuse software extensions to establish persistent access to victim systems. Software extensions are modular components that enhance or customize the functionality of software applications, including web browsers, Integrated Development Environments (IDEs), and other platforms. Extensions are typically installed via official marketplaces or manually loaded, and they often inherit the permissions and access levels of the host application. Malicious extensions can be introduced through social engineering, compromised marketplaces, or direct installation by adversaries who have already gained system access. Detection is challenging due to the inherent trust placed in extensions and their ability to blend into normal application workflows."
references:
  - https://attack.mitre.org/techniques/T1176/
  - https://df00tech.com/detections/T1176
author: df00tech
date: 2026/04/19
tags:
  - attack.t1176
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Enterprise IT software packaging tools (SCCM, Intune) that deploy browser extensions as part of managed device configuration"
  - Developer workstations where engineers legitimately install unpacked or sideloaded extensions using --load-extension for development and testing purposes
  - "Security tools or browser management platforms (e.g., Ivanti, Workspace ONE) that configure forced extension installs via Group Policy or registry for enterprise DLP or SSO extensions"
  - Automated build pipelines that install VSCode extensions as part of developer environment bootstrapping scripts
  - Legitimate extension marketplace update mechanisms that briefly trigger file writes to extension directories under unusual parent processes during background update checks
level: medium