Web Browser Loading Extension
During execution, SmashJacker forced Google Chrome or Microsoft Edge to open with the command line argument --load-extension so a browser extension can install without user interaction. This analytic will likely uncover additional adware in an environment and may need tuning to take account for acceptable software installation. Part of the RedCanary 2024 Threat Detection Report.
Sigma rule (View on GitHub)
1title: Web Browser Loading Extension
2id: 81f18c2e-640e-411d-93c0-496bb713003c
3status: experimental
4description: |
5 During execution, SmashJacker forced Google Chrome or Microsoft Edge to open with
6 the command line argument --load-extension so a browser extension can install without
7 user interaction. This analytic will likely uncover additional adware in an environment
8 and may need tuning to take account for acceptable software installation. Part of the
9 RedCanary 2024 Threat Detection Report.
10references:
11 - https://redcanary.com/threat-detection-report/threats/smashjacker/
12author: RedCanary, Sigma formatting by Micah Babinski
13date: 2024/03/21
14tags:
15 - attack.persistence
16 - attack.t1176
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection:
22 Image|endswith:
23 - '\chrome.exe'
24 - '\msedge.exe'
25 CommandLine|contains: '--load-extension'
26 condition: selection
27falsepositives:
28 - Unknown
29level: low```
References
-
Often delivered via Charcoal Stork, SmashJacker is not the most evil browser-hijacker, but it is one of the most widespread.
Read More
Related rules
- ChromeLoader NW.js Runtime App Installation Paths
- Chromium Browser Instance Executed With Custom Extension
- Suspicious Chromium Browser Instance Executed With Custom Extension
- Chrome Spawned by Powershell with Load-Extension in Command Line
- AppInit DLL Installation