Browser Extension Install
Identifies the install of browser extensions. Malicious browser extensions can be installed via app store downloads masquerading as legitimate extensions, social engineering, or by an adversary that has already compromised a system.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/08/22"
3integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel"]
4maturity = "production"
5updated_date = "2024/10/10"
6min_stack_version = "8.13.0"
7min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies the install of browser extensions. Malicious browser extensions can be installed via app store downloads
13masquerading as legitimate extensions, social engineering, or by an adversary that has already compromised a system.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.file-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", "logs-windows.sysmon_operational-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Browser Extension Install"
20risk_score = 21
21rule_id = "f97504ac-1053-498f-aeaa-c6d01e76b379"
22severity = "low"
23tags = [
24 "Domain: Endpoint",
25 "OS: Windows",
26 "Use Case: Threat Detection",
27 "Tactic: Persistence",
28 "Data Source: Elastic Defend",
29 "Data Source: Microsoft Defender for Endpoint",
30 "Data Source: Sysmon",
31 "Data Source: SentinelOne",
32]
33timestamp_override = "event.ingested"
34type = "eql"
35
36query = '''
37file where host.os.type == "windows" and event.action : "creation" and
38(
39 /* Firefox-Based Browsers */
40 (
41 file.name : "*.xpi" and
42 file.path : "?:\\Users\\*\\AppData\\Roaming\\*\\Profiles\\*\\Extensions\\*.xpi" and
43 not
44 (
45 process.name : "firefox.exe" and
46 file.name : ("langpack-*@firefox.mozilla.org.xpi", "*@dictionaries.addons.mozilla.org.xpi")
47 )
48 ) or
49 /* Chromium-Based Browsers */
50 (
51 file.name : "*.crx" and
52 file.path : "?:\\Users\\*\\AppData\\Local\\*\\*\\User Data\\Webstore Downloads\\*"
53 )
54)
55'''
56
57
58[[rule.threat]]
59framework = "MITRE ATT&CK"
60[[rule.threat.technique]]
61id = "T1176"
62name = "Browser Extensions"
63reference = "https://attack.mitre.org/techniques/T1176/"
64
65
66[rule.threat.tactic]
67id = "TA0003"
68name = "Persistence"
69reference = "https://attack.mitre.org/tactics/TA0003/"
Related rules
- Creation of a Hidden Local User Account
- Image File Execution Options Injection
- Installation of Custom Shim Databases
- Persistence via Scheduled Job Creation
- Registry Persistence via AppInit DLL