Manual Loading of a Suspicious Chromium Extension

  1[metadata]
  2creation_date = "2026/01/30"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2026/01/30"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects the manual loading of a Chromium-based browser extension via command line arguments. This activity 
 11is suspicious and could indicate a threat actor loading a malicious extension to persist or collect browsing 
 12secrets such as cookies and authentication tokens.
 13"""
 14from = "now-9m"
 15index = ["logs-endpoint.events.process-*"]
 16language = "eql"
 17license = "Elastic License v2"
 18name = "Manual Loading of a Suspicious Chromium Extension"
 19references = [
 20    "https://cedowens.medium.com/remotely-dumping-chrome-cookies-revisited-b25343257209",
 21    "https://github.com/cedowens/Dump-Chrome-Cookies"
 22]
 23risk_score = 73
 24rule_id = "f1f3070e-045c-4e03-ae58-d11d43d2ee51"
 25severity = "high"
 26tags = [
 27    "Domain: Endpoint",
 28    "OS: macOS",
 29    "Use Case: Threat Detection",
 30    "Tactic: Persistence",
 31    "Tactic: Credential Access",
 32    "Data Source: Elastic Defend",
 33    "Resources: Investigation Guide"
 34]
 35timestamp_override = "event.ingested"
 36type = "eql"
 37note = """## Triage and analysis
 38
 39> **Disclaimer**:
 40> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 41
 42### Investigating Manual Loading of a Suspicious Chromium Extension
 43
 44Chromium-based browsers support loading extensions from local directories using the --load-extension command line flag, bypassing the normal extension store installation process. Threat actors abuse this capability to load malicious extensions that can steal cookies, capture session tokens, intercept form submissions, or inject content into web pages. Unlike store-installed extensions, manually loaded extensions don't undergo security review and can request arbitrary permissions. This detection rule identifies browsers launched with the --load-extension flag from suspicious parent processes.
 45
 46### Possible investigation steps
 47
 48- Examine the process.args containing --load-extension to identify the full path of the extension being loaded.
 49- Navigate to the extension directory and review the manifest.json to understand the permissions requested, including access to cookies, tabs, or web requests.
 50- Analyze the extension's JavaScript files for malicious functionality such as cookie exfiltration, form interception, or communication with external servers.
 51- Review the process.parent.executable to understand how the browser was launched with the malicious extension and trace back to the initial execution vector.
 52- Check for network connections made by the browser process to identify potential data exfiltration endpoints.
 53- Review browser profile data for evidence of credential theft or session hijacking.
 54- Search for the same extension path across other systems to identify potential lateral movement or widespread deployment.
 55
 56### False positive analysis
 57
 58- Cypress and other automated testing frameworks load extensions for browser automation. These are already excluded in the query.
 59- ChromeDriver used for Selenium testing loads extensions programmatically. These paths are excluded in the query.
 60- Developer debugging may require manual extension loading during active development. Verify with development teams if such activities are expected.
 61- Enterprise browser customization may deploy internal extensions via command line. Review with IT operations to document approved extensions.
 62
 63### Response and remediation
 64
 65- Immediately terminate the browser process to stop any ongoing malicious activity such as cookie theft or session hijacking.
 66- Remove the malicious extension directory from the filesystem to prevent future loading.
 67- Clear browser session data including cookies, cached credentials, and saved passwords for the affected browser profile.
 68- Review and revoke any sessions for sensitive web applications that were accessed while the extension was loaded.
 69- Investigate how the malicious extension was deployed and remediate the initial access vector.
 70- Block the malicious extension path or hash in endpoint security policies to prevent reloading.
 71- Reset passwords for web accounts that may have been compromised through the malicious extension.
 72- Check browser sync settings to ensure the malicious extension doesn't propagate to other devices.
 73"""
 74query = '''
 75process where host.os.type == "macos" and event.action == "exec" and
 76  process.name in ("Google Chrome", "Brave Browser", "Microsoft Edge") and
 77  process.args like "--load-extension=/*" and
 78  not (process.args like "--load-extension=/Users/*/Library/Application Support/Cypress/*" and
 79       process.parent.executable like ("/Applications/Google Chrome.app/Contents/MacOS/Google Chrome",
 80                                        "/Users/*/Library/Caches/Cypress/*/Cypress.app/Contents/MacOS/Cypress")) and
 81  not process.parent.executable like ("/opt/homebrew/Caskroom/chromedriver/*/chromedriver",
 82                                    "/Applications/Cypress.app/Contents/MacOS/Cypress",
 83                                    "/usr/local/bin/chromedriver")
 84'''
 85
 86[[rule.threat]]
 87framework = "MITRE ATT&CK"
 88
 89  [rule.threat.tactic]
 90  name = "Persistence"
 91  id = "TA0003"
 92  reference = "https://attack.mitre.org/tactics/TA0003/"
 93
 94  [[rule.threat.technique]]
 95  name = "Software Extensions"
 96  id = "T1176"
 97  reference = "https://attack.mitre.org/techniques/T1176/"
 98
 99[[rule.threat]]
100framework = "MITRE ATT&CK"
101
102  [rule.threat.tactic]
103  name = "Credential Access"
104  id = "TA0006"
105  reference = "https://attack.mitre.org/tactics/TA0006/"
106
107  [[rule.threat.technique]]
108  name = "Steal Web Session Cookie"
109  id = "T1539"
110  reference = "https://attack.mitre.org/techniques/T1539/"