| Item |
Value |
| ID |
DET0044 |
| Version |
1.0 |
| Created |
21 October 2025 |
| Last Modified |
21 October 2025 |
Technique Detected: T1176.001 (Browser Extensions)
Analytics
Windows
AN0123
Installation of a new browser extension followed by suspicious file writes or outbound network connections to untrusted domains by the browser process.
Log Sources
Mutable Elements
| Field |
Description |
| UserContext |
Extension installation by privileged or domain users may require higher scrutiny |
| BrowserExecutablePath |
Custom or portable browsers may not match default paths |
| ExtensionInstallPath |
Installation paths may vary by version or user profile |
macOS
AN0124
Installation of malicious .mobileconfig profiles or browser extension plist entries followed by abnormal browser child process activity.
Log Sources
Mutable Elements
| Field |
Description |
| PlistPath |
Different versions may store extensions in variant preference folders |
| CommandLineFlags |
May vary with OS version; some install flags deprecated in macOS 11+ |
Linux
AN0125
Manual or scripted installation of Chrome extensions using user scripts or config files, followed by unexpected network connections from browser processes.
Log Sources
Mutable Elements
| Field |
Description |
| ExtensionDir |
Location of Chrome/Chromium extensions under user profile may vary |
| DomainWatchlist |
Custom list of suspicious destination domains for browser traffic |