Browser Extension Install

calendar Oct 15, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Persistence Data Source: Elastic Defend Data Source: Elastic Endgame Data Source: SentinelOne Data Source: Sysmon Data Source: Microsoft Defender for Endpoint  ·
Share on: linkedin copy

Identifies the install of browser extensions. Malicious browser extensions can be installed via app store downloads masquerading as legitimate extensions, social engineering, or by an adversary that has already compromised a system.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2023/08/22"
 3integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows"]
 4maturity = "production"
 5updated_date = "2024/10/15"
 6min_stack_version = "8.14.0"
 7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies the install of browser extensions. Malicious browser extensions can be installed via app store downloads
13masquerading as legitimate extensions, social engineering, or by an adversary that has already compromised a system.
14"""
15from = "now-9m"
16index = [
17    "logs-endpoint.events.file-*",
18    "logs-m365_defender.event-*",
19    "logs-sentinel_one_cloud_funnel.*",
20    "logs-windows.sysmon_operational-*",
21    "winlogbeat-*",
22    "endgame-*"
23]
24language = "eql"
25license = "Elastic License v2"
26name = "Browser Extension Install"
27risk_score = 21
28rule_id = "f97504ac-1053-498f-aeaa-c6d01e76b379"
29severity = "low"
30tags = [
31    "Domain: Endpoint",
32    "OS: Windows",
33    "Use Case: Threat Detection",
34    "Tactic: Persistence",
35    "Data Source: Elastic Defend",
36    "Data Source: Elastic Endgame",
37    "Data Source: SentinelOne",
38    "Data Source: Sysmon",
39    "Data Source: Microsoft Defender for Endpoint",
40]
41timestamp_override = "event.ingested"
42type = "eql"
43
44query = '''
45file where host.os.type == "windows" and event.type : "creation" and 
46(
47  /* Firefox-Based Browsers */
48  (
49    file.name : "*.xpi" and
50    file.path : "?:\\Users\\*\\AppData\\Roaming\\*\\Profiles\\*\\Extensions\\*.xpi" and
51    not 
52    (
53      process.name : "firefox.exe" and
54      file.name : ("langpack-*@firefox.mozilla.org.xpi", "*@dictionaries.addons.mozilla.org.xpi")
55    )
56  ) or
57  /* Chromium-Based Browsers */
58  (
59    file.name : "*.crx" and
60    file.path : "?:\\Users\\*\\AppData\\Local\\*\\*\\User Data\\Webstore Downloads\\*"
61  )
62)
63'''
64
65
66[[rule.threat]]
67framework = "MITRE ATT&CK"
68[[rule.threat.technique]]
69id = "T1176"
70name = "Browser Extensions"
71reference = "https://attack.mitre.org/techniques/T1176/"
72
73
74[rule.threat.tactic]
75id = "TA0003"
76name = "Persistence"
77reference = "https://attack.mitre.org/tactics/TA0003/"

Related rules

to-top