{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/browser-extension/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel"],"_cs_severities":["low"],"_cs_tags":["persistence","browser-extension","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne"],"content_html":"\u003cp\u003eThis detection rule identifies the installation of browser extensions on Windows systems, which can be a sign of malicious activity. Threat actors may install malicious browser extensions through app store downloads disguised as legitimate extensions, social engineering tactics, or by directly compromising a system. These extensions can then be used for persistence, data theft, or other malicious purposes. The rule focuses on monitoring file creation events related to browser extension installations, specifically targeting the file paths and types associated with Firefox (.xpi) and Chromium-based browsers (.crx). It excludes known safe processes and extensions to reduce false positives. This detection is relevant for defenders because malicious browser extensions can provide a persistent foothold for attackers, allowing them to maintain access to compromised systems and user data. The rule is based on EQL and can be used with Elastic Defend, Microsoft Defender XDR, SentinelOne Cloud Funnel, and Sysmon data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe user\u0026rsquo;s system is compromised, potentially through social engineering or existing malware.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to the system and attempts to install a malicious browser extension.\u003c/li\u003e\n\u003cli\u003eThe attacker drops the extension file (.xpi for Firefox, .crx for Chromium) into the appropriate browser extension directory (e.g., \u003ccode\u003eC:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\*\\\\Profiles\\\\*\\\\Extensions\\\\\u003c/code\u003e for Firefox or \u003ccode\u003eC:\\\\Users\\\\*\\\\AppData\\\\Local\\\\*\\\\*\\\\User Data\\\\Webstore Downloads\\\\\u003c/code\u003e for Chromium).\u003c/li\u003e\n\u003cli\u003eA file creation event is triggered as the extension file is created in the target directory.\u003c/li\u003e\n\u003cli\u003eThe detection rule identifies this file creation event based on the file name and path, filtering out known safe processes like firefox.exe.\u003c/li\u003e\n\u003cli\u003eThe malicious extension installs itself into the browser.\u003c/li\u003e\n\u003cli\u003eThe extension gains persistence by loading every time the browser starts.\u003c/li\u003e\n\u003cli\u003eThe attacker can now perform malicious actions such as monitoring browsing activity, stealing credentials, or injecting malicious content into web pages.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack using malicious browser extensions can lead to persistent access to the compromised system, allowing attackers to steal sensitive information such as credentials, financial data, or personal information. This can result in financial loss, identity theft, and reputational damage. The installation of malicious extensions can also lead to the injection of malicious content into web pages, redirecting users to phishing sites or distributing malware. The scope of the impact can range from individual users to entire organizations, depending on the extent of the compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon Event ID 11 (File Create) logging to capture the necessary file creation events for this detection.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eBrowser Extension Install via File Creation\u003c/code\u003e to your SIEM and tune the exclusions for your specific environment.\u003c/li\u003e\n\u003cli\u003eReview and update the list of known safe processes and extensions in the Sigma rule \u003ccode\u003eBrowser Extension Install via File Creation\u003c/code\u003e to minimize false positives.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting policies to restrict the installation of unauthorized browser extensions.\u003c/li\u003e\n\u003cli\u003eEducate users on the risks associated with installing browser extensions from untrusted sources and encourage them to only install extensions from official browser stores.\u003c/li\u003e\n\u003cli\u003eImplement policies to regularly review installed browser extensions across the organization.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T12:00:00Z","date_published":"2024-01-26T12:00:00Z","id":"/briefs/2024-01-browser-extension-install/","summary":"This rule identifies the installation of potentially malicious browser extensions, which adversaries can leverage for persistence and unauthorized activity by monitoring file creation events in common browser extension directories on Windows systems.","title":"Detection of Malicious Browser Extension Installation","url":"https://feed.craftedsignal.io/briefs/2024-01-browser-extension-install/"}],"language":"en","title":"CraftedSignal Threat Feed — Browser-Extension","version":"https://jsonfeed.org/version/1.1"}