detection.wiki

Software Extensions T1176

Tactic: Persistence

Adversaries may abuse software extensions to establish persistent access to victim systems. Software extensions are modular components that enhance or customize the functionality of software applications, including web browsers, Integrated Development Environments (IDEs), and other platforms. Extensions are typically installed via official marketplaces, app stores, or manually loaded by users, and they often inherit the permissions and access levels of the host application.

Events covered

7 catalog events are tagged with this technique by at least one rule.

ProviderEventTitle
SysmonEvent ID 1Process creation
SysmonEvent ID 11FileCreate
SysmonEvent ID 12RegistryEvent (Object create and delete)
SysmonEvent ID 13RegistryEvent (Value Set)
SysmonEvent ID 14RegistryEvent (Key and Value Rename)
Security-AuditingEvent ID 4688A new process has been created.
ESFexecProcess Execution (Notify)

Authoring guide

Patterns shared across the 10 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (20 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
CommandLine4contains 3, match 1--load-extension=, --load-extension="*\Appdata\local\chrome", -extoff
Image3ends_with 3\chrome.exe, \brave.exe, \msedge.exe
ParentImage2ends_with 2\cmd.exe, \cscript.exe, \mshta.exe, \powershell.exe
event.type2eq 2change, creation
process_name2eq 1, in 1brave browser, google chrome, iexplore.exe, microsoft edge
Details1length_compare 10, >
EventType1eq 1exec
IntVersion1le 1IntVulnVursion
IsActivated1eq 1true
OriginalFileName1eq 1iexplore.exe
ParentCommandLine1contains 1-executionpolicy bypass -windowstyle hidden -e jab
TargetFilename1wildcard 1?:\users\*\appdata\local\*\*\user data\webstore downloads\*, ?:\users\*\appdata\roaming\*\profiles\*\extensions\*.xpi
TargetObject1wildcard 1hkey_users\*\control panel\desktop\scrnsave.exe, hkey_users\*\environment\userinitmprlogonscript, hkey_users\*\software\microsoft\command processor\autorun
UserAgentOriginal1is_not_null 1
action1eq 1added

Top indicator values (88 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
Imageends_with
\chrome.exe
313
Imageends_with
\brave.exe
211
Imageends_with
\msedge.exe
214
Imageends_with
\opera.exe
211
Imageends_with
\vivaldi.exe
211
CommandLinecontains
--load-extension=
22
CommandLinecontains
-extoff
1
ParentImageends_with
\powershell.exe
224
ParentImageends_with
\cmd.exe
120
ParentImageends_with
\cscript.exe
117
ParentImageends_with
\mshta.exe
113
ParentImageends_with
\pwsh.exe
121
ParentImageends_with
\regsvr32.exe
111
ParentImageends_with
\rundll32.exe
115
ParentImageends_with
\wscript.exe
119
CommandLinematch
--load-extension="*\Appdata\local\chrome"
1
Detailslength_compare
0
14
Detailslength_compare
>
14
EventTypeeq
exec
1171
IntVersionle
IntVulnVursion
1
IsActivatedeq
true
1
OriginalFileNameeq
iexplore.exe
1
ParentCommandLinecontains
-executionpolicy bypass -windowstyle hidden -e jab
1
TargetFilenamewildcard
?:\users\*\appdata\local\*\*\user data\webstore downloads\*
1
TargetFilenamewildcard
?:\users\*\appdata\roaming\*\profiles\*\extensions\*.xpi
1
TargetObjectwildcard
hkey_users\*\control panel\desktop\scrnsave.exe
1
TargetObjectwildcard
hkey_users\*\environment\userinitmprlogonscript
12
TargetObjectwildcard
hkey_users\*\software\microsoft\command processor\autorun
12
TargetObjectwildcard
hkey_users\*\software\microsoft\ctf\langbaraddin\*\filepath
12
TargetObjectwildcard
hkey_users\*\software\microsoft\internet explorer\extensions\*\exec
12

Exclusions (27 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
Detailseq
%windir%\system32\Ribbons.scr
1
Detailseq
%windir%\system32\rundll32.exe user32.dll,LockWorkStation
1
Detailseq
C:\Windows\System32\poqexec.exe /skip_critical_poq /display_progress...
1
Detailseq
C:\windows\System32\poqexec.exe /display_progress \SystemRoot\WinSxS\pending.xml
1
Detailseq
scrnsave.scr
1
Detailswildcard
C:\Program Files (x86)\*.exe
1
Detailswildcard
C:\Program Files\*.exe
1
Detailswildcard
C:\Windows\system32\userinit.exe
1
Detailswildcard
cmd.exe
1
Imagewildcard
c:\program files (x86)\*.exe
1
Imagewildcard
c:\program files\*.exe
1
Imagewildcard
c:\programdata\microsoft\windows defender\platform\*\msmpeng.exe
1
Imagewildcard
c:\windows\system32\msiexec.exe
1
Imagewildcard
c:\windows\syswow64\msiexec.exe
1
ParentImagewildcard
/applications/cypress.app/contents/macos/cypress
1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Platform (all)
Domain (all)

Sigma 3 rules

Elastic 3 rules

Splunk 1 rule

Kusto 2 rules

Panther 1 rule