Browser Extension Install

Identifies the install of browser extensions. Malicious browser extensions can be installed via app store downloads masquerading as legitimate extensions, social engineering, or by an adversary that has already compromised a system.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2023/08/22"
  3integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6min_stack_version = "8.14.0"
  7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Identifies the install of browser extensions. Malicious browser extensions can be installed via app store downloads
 13masquerading as legitimate extensions, social engineering, or by an adversary that has already compromised a system.
 14"""
 15from = "now-9m"
 16index = [
 17    "logs-endpoint.events.file-*",
 18    "logs-m365_defender.event-*",
 19    "logs-sentinel_one_cloud_funnel.*",
 20    "logs-windows.sysmon_operational-*",
 21    "winlogbeat-*",
 22    "endgame-*"
 23]
 24language = "eql"
 25license = "Elastic License v2"
 26name = "Browser Extension Install"
 27risk_score = 21
 28rule_id = "f97504ac-1053-498f-aeaa-c6d01e76b379"
 29severity = "low"
 30tags = [
 31    "Domain: Endpoint",
 32    "OS: Windows",
 33    "Use Case: Threat Detection",
 34    "Tactic: Persistence",
 35    "Data Source: Elastic Defend",
 36    "Data Source: Elastic Endgame",
 37    "Data Source: SentinelOne",
 38    "Data Source: Sysmon",
 39    "Data Source: Microsoft Defender for Endpoint",
 40    "Resources: Investigation Guide",
 41]
 42timestamp_override = "event.ingested"
 43type = "eql"
 44
 45query = '''
 46file where host.os.type == "windows" and event.type : "creation" and
 47(
 48  /* Firefox-Based Browsers */
 49  (
 50    file.name : "*.xpi" and
 51    file.path : "?:\\Users\\*\\AppData\\Roaming\\*\\Profiles\\*\\Extensions\\*.xpi" and
 52    not
 53    (
 54      process.name : "firefox.exe" and
 55      file.name : ("langpack-*@firefox.mozilla.org.xpi", "*@dictionaries.addons.mozilla.org.xpi")
 56    )
 57  ) or
 58  /* Chromium-Based Browsers */
 59  (
 60    file.name : "*.crx" and
 61    file.path : "?:\\Users\\*\\AppData\\Local\\*\\*\\User Data\\Webstore Downloads\\*"
 62  )
 63)
 64'''
 65note = """## Triage and analysis
 66
 67> **Disclaimer**:
 68> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 69
 70### Investigating Browser Extension Install
 71Browser extensions enhance functionality in web browsers but can be exploited by adversaries to gain persistence or execute malicious activities. Attackers may disguise harmful extensions as legitimate or use compromised systems to install them. The detection rule identifies suspicious extension installations by monitoring file creation events in typical extension directories, filtering out known safe processes, and focusing on Windows environments.
 72
 73### Possible investigation steps
 74
 75- Review the file creation event details to identify the specific browser extension file (e.g., .xpi or .crx) and its path to determine if it aligns with known malicious patterns or locations.
 76- Check the process that initiated the file creation event, especially if it is not a known safe process like firefox.exe, to assess if it is a legitimate application or potentially malicious.
 77- Investigate the user account associated with the file creation event to determine if the activity is expected or if the account may have been compromised.
 78- Examine recent system activity and logs for any signs of social engineering attempts or unauthorized access that could have led to the installation of the extension.
 79- Cross-reference the extension file name and path with threat intelligence sources to identify if it is associated with known malicious browser extensions.
 80- If applicable, review the browser's extension management interface to verify the presence and legitimacy of the installed extension.
 81
 82### False positive analysis
 83
 84- Language pack installations for Firefox can trigger false positives. Exclude files named "langpack-*@firefox.mozilla.org.xpi" from detection to prevent unnecessary alerts.
 85- Dictionary add-ons for Firefox may also be flagged. Add exceptions for files named "*@dictionaries.addons.mozilla.org.xpi" to reduce false positives.
 86- Regular updates or installations of legitimate browser extensions from trusted sources can be mistaken for malicious activity. Maintain a list of trusted processes and paths to exclude from monitoring.
 87- User-initiated installations from official browser stores might be flagged. Educate users on safe installation practices and consider excluding known safe processes like "firefox.exe" when associated with legitimate extension paths.
 88- Frequent installations in enterprise environments due to software deployment tools can cause alerts. Coordinate with IT to identify and exclude these routine activities from detection.
 89
 90### Response and remediation
 91
 92- Isolate the affected system from the network to prevent further spread or communication with potential command and control servers.
 93- Terminate any suspicious processes associated with the unauthorized browser extension installation, such as unknown or unexpected instances of browser processes.
 94- Remove the malicious browser extension by deleting the associated files from the extension directories identified in the alert.
 95- Conduct a full antivirus and anti-malware scan on the affected system to identify and remove any additional threats or remnants of the malicious extension.
 96- Review and reset browser settings to default to ensure no residual configurations or settings are left by the malicious extension.
 97- Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected.
 98- Implement application whitelisting to prevent unauthorized browser extensions from being installed in the future, focusing on the directories and file types identified in the detection query."""
 99
100
101[[rule.threat]]
102framework = "MITRE ATT&CK"
103[[rule.threat.technique]]
104id = "T1176"
105name = "Browser Extensions"
106reference = "https://attack.mitre.org/techniques/T1176/"
107
108
109[rule.threat.tactic]
110id = "TA0003"
111name = "Persistence"
112reference = "https://attack.mitre.org/tactics/TA0003/"

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating Browser Extension Install

Browser extensions enhance functionality in web browsers but can be exploited by adversaries to gain persistence or execute malicious activities. Attackers may disguise harmful extensions as legitimate or use compromised systems to install them. The detection rule identifies suspicious extension installations by monitoring file creation events in typical extension directories, filtering out known safe processes, and focusing on Windows environments.

Possible investigation steps

  • Review the file creation event details to identify the specific browser extension file (e.g., .xpi or .crx) and its path to determine if it aligns with known malicious patterns or locations.
  • Check the process that initiated the file creation event, especially if it is not a known safe process like firefox.exe, to assess if it is a legitimate application or potentially malicious.
  • Investigate the user account associated with the file creation event to determine if the activity is expected or if the account may have been compromised.
  • Examine recent system activity and logs for any signs of social engineering attempts or unauthorized access that could have led to the installation of the extension.
  • Cross-reference the extension file name and path with threat intelligence sources to identify if it is associated with known malicious browser extensions.
  • If applicable, review the browser's extension management interface to verify the presence and legitimacy of the installed extension.

False positive analysis

  • Language pack installations for Firefox can trigger false positives. Exclude files named "langpack-*@firefox.mozilla.org.xpi" from detection to prevent unnecessary alerts.
  • Dictionary add-ons for Firefox may also be flagged. Add exceptions for files named "*@dictionaries.addons.mozilla.org.xpi" to reduce false positives.
  • Regular updates or installations of legitimate browser extensions from trusted sources can be mistaken for malicious activity. Maintain a list of trusted processes and paths to exclude from monitoring.
  • User-initiated installations from official browser stores might be flagged. Educate users on safe installation practices and consider excluding known safe processes like "firefox.exe" when associated with legitimate extension paths.
  • Frequent installations in enterprise environments due to software deployment tools can cause alerts. Coordinate with IT to identify and exclude these routine activities from detection.

Response and remediation

  • Isolate the affected system from the network to prevent further spread or communication with potential command and control servers.
  • Terminate any suspicious processes associated with the unauthorized browser extension installation, such as unknown or unexpected instances of browser processes.
  • Remove the malicious browser extension by deleting the associated files from the extension directories identified in the alert.
  • Conduct a full antivirus and anti-malware scan on the affected system to identify and remove any additional threats or remnants of the malicious extension.
  • Review and reset browser settings to default to ensure no residual configurations or settings are left by the malicious extension.
  • Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected.
  • Implement application whitelisting to prevent unauthorized browser extensions from being installed in the future, focusing on the directories and file types identified in the detection query.

Related rules

to-top