Suspicious File Creation via Browser Extensions¶
Malicious browser extensions can be installed via app store downloads masquerading as legitimate extensions, social engineering, or by an adversary that has already compromised a system
id: | 7797d204-3205-4033-bac7-658fc203198d |
---|---|
categories: | enrich |
confidence: | low |
os: | macos, windows |
created: | 7/26/2019 |
updated: | 7/26/2019 |
MITRE ATT&CK™ Mapping¶
tactics: | Persistence |
---|---|
techniques: | T1176 Browser Extensions |
Query¶
file where not subtype.delete and
wildcard(file_name, "*.exe", "*.dll", "*.ps1", "*.vbs", "*.bat") and
wildcard(file_path,
// windows
"*\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions",
"*:\\Program Files\\Mozilla Firefox\\plugins\\*",
"*:\\Program Files\\Internet Explorer\\Plugins\\*",
// macos
"/Applications/Firefox.app/Contents/MacOS/firefox/plugins/*",
"/Users/*/Library/Safari/Extensions/*",
"/Users/*/Library/Application Support/Google/Chrome/Default/Extensions/*"
)