Suspicious Chromium Browser Instance Executed With Custom Extension

calendar Nov 28, 2023 · attack.persistence attack.t1176  ·
Share on: linkedin copy

Detects a suspicious process spawning a Chromium based browser process with the 'load-extension' flag to start an instance with a custom extension

Sigma rule (View on GitHub)

 1title: Suspicious Chromium Browser Instance Executed With Custom Extension
 2id: 27ba3207-dd30-4812-abbf-5d20c57d474e
 3related:
 4    - id: 88d6e60c-759d-4ac1-a447-c0f1466c2d21
 5      type: similar
 6status: experimental
 7description: Detects a suspicious process spawning a Chromium based browser process with the 'load-extension' flag to start an instance with a custom extension
 8references:
 9    - https://redcanary.com/blog/chromeloader/
10    - https://emkc.org/s/RJjuLa
11    - https://www.mandiant.com/resources/blog/lnk-between-browsers
12author: Aedan Russell, frack113, X__Junior (Nextron Systems)
13date: 2022/06/19
14modified: 2023/11/28
15tags:
16    - attack.persistence
17    - attack.t1176
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection:
23        ParentImage|endswith:
24            - '\cmd.exe'
25            - '\cscript.exe'
26            - '\mshta.exe'
27            - '\powershell.exe'
28            - '\pwsh.exe'
29            - '\regsvr32.exe'
30            - '\rundll32.exe'
31            - '\wscript.exe'
32        Image|endswith:
33            - '\brave.exe'
34            - '\chrome.exe'
35            - '\msedge.exe'
36            - '\opera.exe'
37            - '\vivaldi.exe'
38        CommandLine|contains: '--load-extension='
39    condition: selection
40falsepositives:
41    - Unknown
42level: high

References

Related rules

to-top