1. Home
  2. Detection Strategies
  3. Detecting Malicious Browser Extensions Across Platforms

Detecting Malicious Browser Extensions Across Platforms

Technique Detected:  Browser Extensions | T1176.001

ID: DET0044
Domains: Enterprise
Analytics: AN0123, AN0124, AN0125
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN0123

Installation of a new browser extension followed by suspicious file writes or outbound network connections to untrusted domains by the browser process.

Log Sources
Data Component Name Channel
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
Process Creation (DC0032) WinEventLog:Security EventCode=4688
Network Connection Creation (DC0082) WinEventLog:Sysmon EventCode=22
Windows Registry Key Modification (DC0063) WinEventLog:Sysmon EventCode=13
Mutable Elements
Field Description
UserContext Extension installation by privileged or domain users may require higher scrutiny
BrowserExecutablePath Custom or portable browsers may not match default paths
ExtensionInstallPath Installation paths may vary by version or user profile

AN0124

Installation of malicious .mobileconfig profiles or browser extension plist entries followed by abnormal browser child process activity.

Log Sources
Data Component Name Channel
Command Execution (DC0064) macos:unifiedlog profiles install -type=configuration
File Creation (DC0039) macos:unifiedlog Creation or modification of browser extension .plist files
Process Creation (DC0032) macos:unifiedlog Unexpected child process of Safari or Chrome
Mutable Elements
Field Description
PlistPath Different versions may store extensions in variant preference folders
CommandLineFlags May vary with OS version; some install flags deprecated in macOS 11+

AN0125

Manual or scripted installation of Chrome extensions using user scripts or config files, followed by unexpected network connections from browser processes.

Log Sources
Data Component Name Channel
File Access (DC0055) auditd:SYSCALL open
Network Traffic Content (DC0085) NSM:Flow Browser connections to known C2 or dynamic DNS domains
Process Creation (DC0032) auditd:SYSCALL execve
Mutable Elements
Field Description
ExtensionDir Location of Chrome/Chromium extensions under user profile may vary
DomainWatchlist Custom list of suspicious destination domains for browser traffic