Browser Extension Install

 1[metadata]
 2creation_date = "2023/08/22"
 3integration = ["endpoint"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies the install of browser extensions. Malicious browser extensions can be installed via app store downloads
11masquerading as legitimate extensions, social engineering, or by an adversary that has already compromised a system.
12"""
13from = "now-9m"
14index = ["logs-endpoint.events.file-*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Browser Extension Install"
18risk_score = 21
19rule_id = "f97504ac-1053-498f-aeaa-c6d01e76b379"
20severity = "low"
21tags = [
22    "Domain: Endpoint",
23    "OS: Windows",
24    "Use Case: Threat Detection",
25    "Tactic: Persistence",
26    "Data Source: Elastic Defend",
27]
28timestamp_override = "event.ingested"
29type = "eql"
30
31query = '''
32file where host.os.type == "windows" and event.action : "creation" and 
33(
34  /* Firefox-Based Browsers */
35  (
36    file.name : "*.xpi" and
37    file.path : "?:\\Users\\*\\AppData\\Roaming\\*\\Profiles\\*\\Extensions\\*.xpi" and
38    not 
39    (
40      process.name : "firefox.exe" and
41      file.name : ("langpack-*@firefox.mozilla.org.xpi", "*@dictionaries.addons.mozilla.org.xpi")
42    )
43  ) or
44  /* Chromium-Based Browsers */
45  (
46    file.name : "*.crx" and
47    file.path : "?:\\Users\\*\\AppData\\Local\\*\\*\\User Data\\Webstore Downloads\\*"
48  )
49)
50'''
51
52
53[[rule.threat]]
54framework = "MITRE ATT&CK"
55[[rule.threat.technique]]
56id = "T1176"
57name = "Browser Extensions"
58reference = "https://attack.mitre.org/techniques/T1176/"
59
60
61[rule.threat.tactic]
62id = "TA0003"
63name = "Persistence"
64reference = "https://attack.mitre.org/tactics/TA0003/"