Suspicious Chromium Browser Instance Executed With Custom Extensions

calendarMay 3, 2023 · attack.persistence attack.t1176  ·
Share on: linkedincopy

Detects a suspicious process spawning a Chromium based browser process with the 'load-extension' flag to start a instance with custom extensions

Sigma rule (View on GitHub)

 1title: Suspicious Chromium Browser Instance Executed With Custom Extensions
 2id: 27ba3207-dd30-4812-abbf-5d20c57d474e
 3status: experimental
 4description: Detects a suspicious process spawning a Chromium based browser process with the 'load-extension' flag to start a instance with custom extensions
 5references:
 6    - https://redcanary.com/blog/chromeloader/
 7    - https://emkc.org/s/RJjuLa
 8    - https://www.mandiant.com/resources/blog/lnk-between-browsers
 9author: Aedan Russell, frack113, X__Junior (Nextron Systems)
10date: 2022/06/19
11modified: 2023/05/02
12tags:
13    - attack.persistence
14    - attack.t1176
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection:
20        ParentImage|endswith:
21            - '\cmd.exe'
22            - '\cscript.exe'
23            - '\mshta.exe'
24            - '\powershell.exe'
25            - '\pwsh.exe'
26            - '\regsvr32.exe'
27            - '\rundll32.exe'
28            - '\wscript.exe'
29        Image|endswith:
30            - '\brave.exe'
31            - '\chrome.exe'
32            - '\msedge.exe'
33            - '\opera.exe'
34            - '\vivaldi.exe'
35        CommandLine|contains|all:
36            - '--load-extension='
37            - '\AppData\Local\'
38    condition: selection
39falsepositives:
40    - Unknown
41level: high

Related rules

to-top