Browser Extension Install

Identifies the install of browser extensions. Malicious browser extensions can be installed via app store downloads masquerading as legitimate extensions, social engineering, or by an adversary that has already compromised a system.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2023/08/22"
 3integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel"]
 4maturity = "production"
 5updated_date = "2024/10/10"
 6min_stack_version = "8.13.0"
 7min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies the install of browser extensions. Malicious browser extensions can be installed via app store downloads
13masquerading as legitimate extensions, social engineering, or by an adversary that has already compromised a system.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.file-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", "logs-windows.sysmon_operational-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Browser Extension Install"
20risk_score = 21
21rule_id = "f97504ac-1053-498f-aeaa-c6d01e76b379"
22severity = "low"
23tags = [
24    "Domain: Endpoint",
25    "OS: Windows",
26    "Use Case: Threat Detection",
27    "Tactic: Persistence",
28    "Data Source: Elastic Defend",
29    "Data Source: Microsoft Defender for Endpoint",
30    "Data Source: Sysmon",
31    "Data Source: SentinelOne",
32]
33timestamp_override = "event.ingested"
34type = "eql"
35
36query = '''
37file where host.os.type == "windows" and event.action : "creation" and 
38(
39  /* Firefox-Based Browsers */
40  (
41    file.name : "*.xpi" and
42    file.path : "?:\\Users\\*\\AppData\\Roaming\\*\\Profiles\\*\\Extensions\\*.xpi" and
43    not 
44    (
45      process.name : "firefox.exe" and
46      file.name : ("langpack-*@firefox.mozilla.org.xpi", "*@dictionaries.addons.mozilla.org.xpi")
47    )
48  ) or
49  /* Chromium-Based Browsers */
50  (
51    file.name : "*.crx" and
52    file.path : "?:\\Users\\*\\AppData\\Local\\*\\*\\User Data\\Webstore Downloads\\*"
53  )
54)
55'''
56
57
58[[rule.threat]]
59framework = "MITRE ATT&CK"
60[[rule.threat.technique]]
61id = "T1176"
62name = "Browser Extensions"
63reference = "https://attack.mitre.org/techniques/T1176/"
64
65
66[rule.threat.tactic]
67id = "TA0003"
68name = "Persistence"
69reference = "https://attack.mitre.org/tactics/TA0003/"

Related rules

to-top