Detectionhightest
Suspicious Chromium Browser Instance Executed With Custom Extension
Detects a suspicious process spawning a Chromium based browser process with the 'load-extension' flag to start an instance with a custom extension
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Aedan Russell, François Hubaut, X__Junior (Nextron Systems)Created Sun Jun 19Updated Tue Nov 2827ba3207-dd30-4812-abbf-5d20c57d474ewindows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic1 selector
detection:
selection:
ParentImage|endswith:
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\wscript.exe'
Image|endswith:
- '\brave.exe'
- '\chrome.exe'
- '\msedge.exe'
- '\opera.exe'
- '\vivaldi.exe'
CommandLine|contains: '--load-extension='
condition: selectionFalse Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
MITRE ATT&CK
Tactics
Other
attack.t1176.001
Rule Metadata
Rule ID
27ba3207-dd30-4812-abbf-5d20c57d474e
Status
test
Level
high
Type
Detection
Created
Sun Jun 19
Modified
Tue Nov 28
Path
rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml
Raw Tags
attack.persistenceattack.t1176.001