Analytics Alerts
Browse the Cortex analytics alert reference.
5 alerts match the current filters. tactic: TA0003 ✕ technique: T1176 ✕
Show ATT&CK heatmapA browser extension was installed or loaded in an uncommon way Informational 3 variations
A browser extension was installed or loaded in an uncommon way.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Software Extensions: Browser Extensions (T1176.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Chromium Extensions AnalyticsAttacker's goals: Gain persistency on a machine and steal sensitive browsing data.Investigative actions: Investigate the extension files and the process that installed them. Check if this extension is currently present at the relevant extensions web store by looking up for its extension ID.Variations
A browser was forced to load an extension using a special command line argument
Low overridden
A browser was forced to load an extension using a special command line argument, an uncommon method. overridden
A browser extension was installed or loaded in an uncommon way by a LOLBIN process
Low overridden
A browser extension was installed or loaded in an uncommon way. overridden
A browser extension was installed or loaded in an uncommon way by an uncommon process
Low overridden
A browser extension was installed or loaded in an uncommon way. overridden
Browser Extension Installed Informational 1 variation
Uncommon browser extension installed.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Software Extensions: Browser Extensions (T1176.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Chromium Extensions AnalyticsAttacker's goals: Establish persistent access to victim systems through Chromium-based browser, steal sensitive data such credentials, cookies hijacking and financial data.Investigative actions: Investigate the extension and how it was loaded. Check if this extension is currently present at the relevant extensions web store by looking up for its extension ID.Variations
Uncommon Browser Extension Installed
Low overridden
Uncommon browser extension installed. overridden
Chrome Extension Installed By User Informational Identity Threat Module
A Chrome extension was installed or updated by a Google Workspace user.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003)ATT&CK techniques: Supply Chain Compromise: Compromise Software Dependencies and Development Tools (T1195.001) Software Extensions: Browser Extensions (T1176.001)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Adversaries may leverage browser extensions installation to gain Initial Access and Persistence, enabling them to intercept credentials and hijack active web sessions.Investigative actions: Review the extension installed, it's OAuth scopes, reputation and permissions. Analyze subsequent network traffic from the user's device or browser for connections to newly registered domains. Investigate the source IP and identity for previous malicious activity or anomalies.Rare access to known advertising domains Informational 2 variations
The endpoint performed many connections to unpopular advertising domains.This could indicate the presence of adware on the endpoint.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Day
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Persistence (TA0003)ATT&CK techniques: Application Layer Protocol (T1071) Software Extensions: Browser Extensions (T1176.001)Required data: Palo Alto Networks Firewall EAL Logs XDR AgentAttacker's goals: Causing the user to view excessive advertising content.Investigative actions: Investigate the infected machine and search for suspicious browser extensions, see if changes were made to the homepage or if the browser is slower than usual, check whether sites that do not have ads usually, display ads when accessed from the possibly infected endpoint. Search for suspicious redirections or proxy configuration on the infected machine. Search for a C&C communication.Variations
Rare access to known advertising domains from a Rare User Agent
Informational overridden
The endpoint performed many connections to unpopular advertising domains from a rare user agent.This could indicate the presence of adware on the endpoint. overridden
Suspicious Rare access to known advertising domains
Low overridden
The endpoint performed many connections to unpopular advertising domains.This could indicate the presence of adware on the endpoint. overridden
Uncommon browser extension loaded Informational
An uncommon browser extension was loaded by a Chromium-based browser.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Software Extensions: Browser Extensions (T1176.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Chromium Extensions AnalyticsAttacker's goals: Gain persistency on a machine and steal sensitive browsing data.Investigative actions: Investigate the extension and how it was loaded. Check if this extension is currently present at the relevant extensions web store by looking up for its extension ID.