Detectionmediumtest
Chromium Browser Instance Executed With Custom Extension
Detects a Chromium based browser process with the 'load-extension' flag to start a instance with a custom extension
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Aedan Russell, François Hubaut, X__Junior (Nextron Systems)Created Sun Jun 19Updated Tue Nov 2888d6e60c-759d-4ac1-a447-c0f1466c2d21windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic1 selector
detection:
selection:
Image|endswith:
- '\brave.exe'
- '\chrome.exe'
- '\msedge.exe'
- '\opera.exe'
- '\vivaldi.exe'
CommandLine|contains: '--load-extension='
condition: selectionFalse Positives
Usage of Chrome Extensions in testing tools such as BurpSuite will trigger this alert
MITRE ATT&CK
Tactics
Other
attack.t1176.001
Rule Metadata
Rule ID
88d6e60c-759d-4ac1-a447-c0f1466c2d21
Status
test
Level
medium
Type
Detection
Created
Sun Jun 19
Modified
Tue Nov 28
Path
rules/windows/process_creation/proc_creation_win_browsers_chromium_load_extension.yml
Raw Tags
attack.persistenceattack.t1176.001