Chromium Browser Instance Executed With Custom Extension
Detects a Chromium based browser process with the 'load-extension' flag to start a instance with a custom extension
Sigma rule (View on GitHub)
1title: Chromium Browser Instance Executed With Custom Extension
2id: 88d6e60c-759d-4ac1-a447-c0f1466c2d21
3related:
4 - id: 27ba3207-dd30-4812-abbf-5d20c57d474e
5 type: similar
6status: test
7description: Detects a Chromium based browser process with the 'load-extension' flag to start a instance with a custom extension
8references:
9 - https://redcanary.com/blog/chromeloader/
10 - https://emkc.org/s/RJjuLa
11 - https://www.mandiant.com/resources/blog/lnk-between-browsers
12author: Aedan Russell, frack113, X__Junior (Nextron Systems)
13date: 2022-06-19
14modified: 2023-11-28
15tags:
16 - attack.persistence
17 - attack.t1176
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection:
23 Image|endswith:
24 - '\brave.exe'
25 - '\chrome.exe'
26 - '\msedge.exe'
27 - '\opera.exe'
28 - '\vivaldi.exe'
29 CommandLine|contains: '--load-extension='
30 condition: selection
31falsepositives:
32 - Usage of Chrome Extensions in testing tools such as BurpSuite will trigger this alert
33level: medium
References
-
ChromeLoader might seem like a run-of-the-mill browser hijacker, but its peculiar use of PowerShell could spell deeper trouble.
Read More -
Engineer Man Knowledge Center or EMKC is an intelligent new platform for quality discussion, questions, challenges, and learning.
Read More -
Two pillars in sleight of hand magic are User Initiated Action, where the target needs to believe their actions are their own, and Hidden Action, the trick needs to be concealed behind something or...
Read More
Related rules
- Suspicious Chromium Browser Instance Executed With Custom Extension
- ChromeLoader Malware Execution
- ChromeLoader NW.js Runtime App Installation Paths
- Web Browser Loading Extension
- Chrome Spawned by Powershell with Load-Extension in Command Line