Suspicious File Creation via Browser Extensions

Malicious browser extensions can be installed via app store downloads masquerading as legitimate extensions, social engineering, or by an adversary that has already compromised a system

id:7797d204-3205-4033-bac7-658fc203198d categories:enrich confidence:low os:macos, windows created:7/26/2019 updated:7/26/2019

MITRE ATT&CK™ Mapping

tactics:Persistence techniques:T1176 Browser Extensions

Query

file where not subtype.delete and
  wildcard(file_name, "*.exe", "*.dll", "*.ps1", "*.vbs", "*.bat") and
  wildcard(file_path,
       // windows
       "*\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions",
       "*:\\Program Files\\Mozilla Firefox\\plugins\\*",
       "*:\\Program Files\\Internet Explorer\\Plugins\\*",

       // macos
       "/Applications/Firefox.app/Contents/MacOS/firefox/plugins/*",
       "/Users/*/Library/Safari/Extensions/*",
       "/Users/*/Library/Application Support/Google/Chrome/Default/Extensions/*"
       )

Contributors

• Endgame