Suspicious Chromium Browser Instance Executed With Custom Extension

    Friday, October 4, 2024 In: Threat Research Print

    Date: 10/04/2024

    Severity: Medium

    Summary

    "Suspicious Chromium Browser Instance Executed With Custom Extension" typically refers to security concerns surrounding a Chromium-based browser running with a potentially malicious or unauthorized extension. This situation can indicate that the browser instance may be used for activities like data theft, phishing, or unauthorized access to user information. Analysts often investigate the extension's behavior, origin, and permissions to determine if it poses a threat to the system or user privacy. Such findings highlight the importance of monitoring browser extensions and ensuring they come from trusted sources.

    Indicators of Compromise (IOC) List

    Image

    '\brave.exe'

    '\chrome.exe'

    '\msedge.exe'

    '\opera.exe'

    '\vivaldi.exe'

    ParentImage

    '\cmd.exe'

    '\cscript.exe'

    '\mshta.exe'

    '\powershell.exe'

    '\pwsh.exe'

    '\regsvr32.exe'

    '\rundll32.exe'

    '\wscript.exe'

    CommandLine

    '--load-extension='

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    ((((resourcename in ("Sysmon") AND eventtype = "1") AND image IN ("\brave.exe","\chrome.exe","\msedge.exe","\opera.exe","\vivaldi.exe")) AND parentimage IN ("\cmd.exe","\cscript.exe","\mshta.exe","\powershell.exe","\pwsh.exe","\regsvr32.exe","\rundll32.exe","\wscript.exe")) AND commandline = "--load-extension=")

    Detection Query 2

    ((((technologygroup = "EDR") AND image IN ("\brave.exe","\chrome.exe","\msedge.exe","\opera.exe","\vivaldi.exe")) AND parentimage IN ("\cmd.exe","\cscript.exe","\mshta.exe","\powershell.exe","\pwsh.exe","\regsvr32.exe","\rundll32.exe","\wscript.exe")) AND commandline = "--load-extension=")

    Detection Query 3

    ((((resourcename in ("Windows security") AND eventtype = "4688") AND processname IN ("\brave.exe","\chrome.exe","\msedge.exe","\opera.exe","\vivaldi.exe")) AND parentprocessname IN ("\cmd.exe","\cscript.exe","\mshta.exe","\powershell.exe","\pwsh.exe","\regsvr32.exe","\rundll32.exe","\wscript.exe")) AND commandline = "--load-extension=")

    Detection Query 4

    ((((technologygroup = "EDR") AND processname IN ("\brave.exe","\chrome.exe","\msedge.exe","\opera.exe","\vivaldi.exe")) AND parentprocessname IN ("\cmd.exe","\cscript.exe","\mshta.exe","\powershell.exe","\pwsh.exe","\regsvr32.exe","\rundll32.exe","\wscript.exe")) AND commandline = "--load-extension=")

    Reference: 

    https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml


    Tags

    SigmaMalware

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.