Installation or execution of a malicious browser or IDE extension, followed by abnormal registry entries or outbound network connections from the host application
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Security | EventCode=4688 |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Windows Registry Key Modification (DC0063) | WinEventLog:Sysmon | EventCode=13 |
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| Field | Description |
|---|---|
| Image | Path of browser or IDE launching subprocesses—may vary depending on installed applications |
| ParentImage | Legitimate parent-child process relationships for known safe extensions |
| RegistryPath | Expected registry keys under HKCU/HKLM for installed extensions |
| TimeWindow | Tunable interval to correlate extension install with follow-on C2 traffic |
Installation of configuration profiles or plist entries associated with malicious or unauthorized browser extensions
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | macos:unifiedlog | Execution of 'profiles install -type=configuration' |
| File Creation (DC0039) | macos:unifiedlog | Creation of .plist under /Library/Managed Preferences/ |
| Network Traffic Flow (DC0078) | macos:unifiedlog | Suspicious outbound traffic from browser binary to non-standard domains |
| Field | Description |
|---|---|
| PlistPath | Directory path for user-specific extension configuration files |
| CommandLine | Usage of profiles CLI tool—can be modified by legitimate tools or MDMs |
| TimeWindow | Correlation window between configuration install and observable extension behavior |
Manual or script-based installation of extension-like modules into browser config directories or IDE plugin paths, followed by suspicious network activity
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve |
| File Creation (DC0039) | fs:fileevents | creat |
| Network Traffic Flow (DC0078) | NSM:Flow | Abnormal browser traffic volume or destination |
| Field | Description |
|---|---|
| DirectoryPath | Common plugin or extension directories may vary by distro or browser (e.g., ~/.config/google-chrome/Default/Extensions) |
| ExecPath | Path to scripting tools used in installation (e.g., bash, curl, unzip) |
| TimeWindow | Tunable interval between install and first network beacon |