Browser Extension Install
Identifies the install of browser extensions. Malicious browser extensions can be installed via app store downloads masquerading as legitimate extensions, social engineering, or by an adversary that has already compromised a system.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/08/22"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies the install of browser extensions. Malicious browser extensions can be installed via app store downloads
11masquerading as legitimate extensions, social engineering, or by an adversary that has already compromised a system.
12"""
13from = "now-9m"
14index = ["logs-endpoint.events.file-*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Browser Extension Install"
18risk_score = 21
19rule_id = "f97504ac-1053-498f-aeaa-c6d01e76b379"
20severity = "low"
21tags = [
22 "Domain: Endpoint",
23 "OS: Windows",
24 "Use Case: Threat Detection",
25 "Tactic: Persistence",
26 "Data Source: Elastic Defend",
27]
28timestamp_override = "event.ingested"
29type = "eql"
30
31query = '''
32file where host.os.type == "windows" and event.action : "creation" and
33(
34 /* Firefox-Based Browsers */
35 (
36 file.name : "*.xpi" and
37 file.path : "?:\\Users\\*\\AppData\\Roaming\\*\\Profiles\\*\\Extensions\\*.xpi" and
38 not
39 (
40 process.name : "firefox.exe" and
41 file.name : ("langpack-*@firefox.mozilla.org.xpi", "*@dictionaries.addons.mozilla.org.xpi")
42 )
43 ) or
44 /* Chromium-Based Browsers */
45 (
46 file.name : "*.crx" and
47 file.path : "?:\\Users\\*\\AppData\\Local\\*\\*\\User Data\\Webstore Downloads\\*"
48 )
49)
50'''
51
52
53[[rule.threat]]
54framework = "MITRE ATT&CK"
55[[rule.threat.technique]]
56id = "T1176"
57name = "Browser Extensions"
58reference = "https://attack.mitre.org/techniques/T1176/"
59
60
61[rule.threat.tactic]
62id = "TA0003"
63name = "Persistence"
64reference = "https://attack.mitre.org/tactics/TA0003/"
Related rules
- Adding Hidden File Attribute via Attrib
- Component Object Model Hijacking
- Creation of a Hidden Local User Account
- Execution of Persistent Suspicious Program
- Execution via MSSQL xp_cmdshell Stored Procedure