Software Extensions

Adversaries may abuse software extensions to establish persistent access to victim systems. Software extensions are modular components that enhance or customize the functionality of software applications, including web browsers, Integrated Development Environments (IDEs), and other platforms.[1][2] Extensions are typically installed via official marketplaces, app stores, or manually loaded by users, and they often inherit the permissions and access levels of the host application.

Malicious extensions can be introduced through various methods, including social engineering, compromised marketplaces, or direct installation by users or by adversaries who have already gained access to a system. Malicious extensions can be named similarly or identically to benign extensions in marketplaces. Security mechanisms in extension marketplaces may be insufficient to detect malicious components, allowing adversaries to bypass automated scanners or exploit trust established during the installation process. Adversaries may also abuse benign extensions to achieve their objectives, such as using legitimate functionality to tunnel data or bypass security controls.

The modular nature of extensions and their integration with host applications make them an attractive target for adversaries seeking to exploit trusted software ecosystems. Detection can be challenging due to the inherent trust placed in extensions during installation and their ability to blend into normal application workflows.

ID: T1176
Sub-techniques:  T1176.001, T1176.002
Tactic: Persistence
Platforms: Linux, Windows, macOS
Contributors: Chris Ross @xorrior; Justin Warner, ICEBRG; Manikantan Srinivasan, NEC Corporation India
Version: 2.0
Created: 16 January 2018
Last Modified: 15 April 2025

Mitigations

ID Mitigation Description
M1047 Audit

Ensure extensions that are installed are the intended ones, as many malicious extensions may masquerade as legitimate ones.

M1038 Execution Prevention

Set an extension allow or deny list as appropriate for your security policy.

M1033 Limit Software Installation

Only install extensions from trusted sources that can be verified.

M1051 Update Software

Ensure operating systems and software are using the most current version.

M1017 User Training

Train users to minimize extension use, and to only install trusted extensions.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments for usage of the profiles tool, such as profiles install -type=configuration.

DS0022 File File Creation

Monitor for newly constructed files in directories associated with software extensions. Ensure all listed files are in alignment with approved extensions

DS0029 Network Traffic Network Connection Creation

Monitor for newly constructed network connections that are sent or received by untrusted hosts.

Network Traffic Flow

Monitor for network traffic directed towards software services from servers or network zones that should not be communicating with this service.

DS0009 Process Process Creation

Monitor for processes associated with extension-capable software on servers where they should not be running.

DS0024 Windows Registry Windows Registry Key Creation

Monitor for any new items written to the Registry or PE files written to disk. That may correlate with extension installation.

References