Browser Extension Install
Identifies the install of browser extensions. Malicious browser extensions can be installed via app store downloads masquerading as legitimate extensions, social engineering, or by an adversary that has already compromised a system.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/08/22"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2024/04/05"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies the install of browser extensions. Malicious browser extensions can be installed via app store downloads
13masquerading as legitimate extensions, social engineering, or by an adversary that has already compromised a system.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.file-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Browser Extension Install"
20risk_score = 21
21rule_id = "f97504ac-1053-498f-aeaa-c6d01e76b379"
22severity = "low"
23tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"]
24timestamp_override = "event.ingested"
25type = "eql"
26
27query = '''
28file where host.os.type == "windows" and event.action : "creation" and
29(
30 /* Firefox-Based Browsers */
31 (
32 file.name : "*.xpi" and
33 file.path : "?:\\Users\\*\\AppData\\Roaming\\*\\Profiles\\*\\Extensions\\*.xpi" and
34 not
35 (
36 process.name : "firefox.exe" and
37 file.name : ("langpack-*@firefox.mozilla.org.xpi", "*@dictionaries.addons.mozilla.org.xpi")
38 )
39 ) or
40 /* Chromium-Based Browsers */
41 (
42 file.name : "*.crx" and
43 file.path : "?:\\Users\\*\\AppData\\Local\\*\\*\\User Data\\Webstore Downloads\\*"
44 )
45)
46'''
47
48[[rule.threat]]
49framework = "MITRE ATT&CK"
50[[rule.threat.technique]]
51id = "T1176"
52name = "Browser Extensions"
53reference = "https://attack.mitre.org/techniques/T1176/"
54
55[rule.threat.tactic]
56id = "TA0003"
57name = "Persistence"
58reference = "https://attack.mitre.org/tactics/TA0003/"
Related rules
- Netsh Helper DLL
- Office Test Registry Persistence
- Werfault ReflectDebugger Persistence
- Potential Application Shimming via Sdbinst
- Adding Hidden File Attribute via Attrib