Software Extensions T1176

Adversaries may abuse software extensions to establish persistent access to victim systems. Software extensions are modular components that enhance or customize the functionality of software applications, including web browsers, Integrated Development Environments (IDEs), and other platforms. Extensions are typically installed via official marketplaces, app stores, or manually loaded by users, and they often inherit the permissions and access levels of the host application.

Events covered

6 catalog events are tagged with this technique by at least one rule.

Authoring guide

Patterns shared across the 6 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (11 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
CommandLine4contains 3, match 1--load-extension=, --load-extension="*\Appdata\local\chrome", -extoff
Image3ends_with 3\chrome.exe, \brave.exe, \msedge.exe
ParentImage2ends_with 2\cmd.exe, \cscript.exe, \mshta.exe, \powershell.exe
event.type2eq 2change, creation
Details1length_compare 10, >
OriginalFileName1eq 1iexplore.exe
ParentCommandLine1contains 1-executionpolicy bypass -windowstyle hidden -e jab
TargetFilename1wildcard 1?:\users\*\appdata\local\*\*\user data\webstore downloads\*, ?:\users\*\appdata\roaming\*\profiles\*\extensions\*.xpi
TargetObject1wildcard 1hkey_users\*\control panel\desktop\scrnsave.exe, hkey_users\*\environment\userinitmprlogonscript, hkey_users\*\software\microsoft\command processor\autorun
file.name1ends_with 1.crx, .xpi
process_name1eq 1iexplore.exe

Top indicator values (78 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
Imageends_with
\chrome.exe
314
Imageends_with
\brave.exe
221
Imageends_with
\msedge.exe
225
Imageends_with
\opera.exe
223
Imageends_with
\vivaldi.exe
221
CommandLinecontains
--load-extension=
22
CommandLinecontains
-extoff
1
ParentImageends_with
\powershell.exe
225
ParentImageends_with
\cmd.exe
124
ParentImageends_with
\cscript.exe
118
ParentImageends_with
\mshta.exe
114
ParentImageends_with
\pwsh.exe
122
ParentImageends_with
\regsvr32.exe
112
ParentImageends_with
\rundll32.exe
117
ParentImageends_with
\wscript.exe
120
CommandLinematch
--load-extension="*\Appdata\local\chrome"
1
Detailslength_compare
0
14
Detailslength_compare
>
14
OriginalFileNameeq
iexplore.exe
1
ParentCommandLinecontains
-executionpolicy bypass -windowstyle hidden -e jab
1
TargetFilenamewildcard
?:\users\*\appdata\local\*\*\user data\webstore downloads\*
1
TargetFilenamewildcard
?:\users\*\appdata\roaming\*\profiles\*\extensions\*.xpi
1
TargetObjectwildcard
hkey_users\*\control panel\desktop\scrnsave.exe
1
TargetObjectwildcard
hkey_users\*\environment\userinitmprlogonscript
12
TargetObjectwildcard
hkey_users\*\software\microsoft\command processor\autorun
12
TargetObjectwildcard
hkey_users\*\software\microsoft\ctf\langbaraddin\*\filepath
12
TargetObjectwildcard
hkey_users\*\software\microsoft\internet explorer\extensions\*\exec
12
TargetObjectwildcard
hkey_users\*\software\microsoft\internet explorer\extensions\*\script
12
TargetObjectwildcard
hkey_users\*\software\microsoft\windows nt\currentversion\windows\load
12
TargetObjectwildcard
hkey_users\*\software\microsoft\windows nt\currentversion\windows\run
1

Exclusions (21 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
Detailseq
%windir%\system32\Ribbons.scr
1
Detailseq
%windir%\system32\rundll32.exe user32.dll,LockWorkStation
1
Detailseq
C:\Windows\System32\poqexec.exe /skip_critical_poq /display_progress...
1
Detailseq
C:\windows\System32\poqexec.exe /display_progress \SystemRoot\WinSxS\pending.xml
1
Detailseq
scrnsave.scr
1
Detailswildcard
C:\Program Files (x86)\*.exe
1
Detailswildcard
C:\Program Files\*.exe
1
Detailswildcard
C:\Windows\system32\userinit.exe
1
Detailswildcard
cmd.exe
1
Imagewildcard
c:\program files (x86)\*.exe
1
Imagewildcard
c:\program files\*.exe
1
Imagewildcard
c:\programdata\microsoft\windows defender\platform\*\msmpeng.exe
1
Imagewildcard
c:\windows\system32\msiexec.exe
1
Imagewildcard
c:\windows\syswow64\msiexec.exe
1
TargetObjectwildcard
*\software\microsoft\internet explorer\extensions\*\script
1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 3 rules

Elastic 2 rules

Splunk 1 rule