DET0092 Detection of Malicious or Unauthorized Software Extensions
| Item |
Value |
| ID |
DET0092 |
| Version |
1.0 |
| Created |
21 October 2025 |
| Last Modified |
21 October 2025 |
Technique Detected: T1176 (Software Extensions)
Analytics
Windows
AN0251
Installation or execution of a malicious browser or IDE extension, followed by abnormal registry entries or outbound network connections from the host application
Log Sources
Mutable Elements
| Field |
Description |
| Image |
Path of browser or IDE launching subprocesses—may vary depending on installed applications |
| ParentImage |
Legitimate parent-child process relationships for known safe extensions |
| RegistryPath |
Expected registry keys under HKCU/HKLM for installed extensions |
| TimeWindow |
Tunable interval to correlate extension install with follow-on C2 traffic |
macOS
AN0252
Installation of configuration profiles or plist entries associated with malicious or unauthorized browser extensions
Log Sources
Mutable Elements
| Field |
Description |
| PlistPath |
Directory path for user-specific extension configuration files |
| CommandLine |
Usage of profiles CLI tool—can be modified by legitimate tools or MDMs |
| TimeWindow |
Correlation window between configuration install and observable extension behavior |
Linux
AN0253
Manual or script-based installation of extension-like modules into browser config directories or IDE plugin paths, followed by suspicious network activity
Log Sources
Mutable Elements
| Field |
Description |
| DirectoryPath |
Common plugin or extension directories may vary by distro or browser (e.g., ~/.config/google-chrome/Default/Extensions) |
| ExecPath |
Path to scripting tools used in installation (e.g., bash, curl, unzip) |
| TimeWindow |
Tunable interval between install and first network beacon |