Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

5 alerts match the current filters. technique: T1176 ✕

Show ATT&CK heatmap
  • A browser extension was installed or loaded in an uncommon way Informational 3 variations

    A browser extension was installed or loaded in an uncommon way.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Software Extensions: Browser Extensions (T1176.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Chromium Extensions Analytics
    Attacker's goals: Gain persistency on a machine and steal sensitive browsing data.
    Investigative actions: Investigate the extension files and the process that installed them. Check if this extension is currently present at the relevant extensions web store by looking up for its extension ID.

    Variations

    A browser was forced to load an extension using a special command line argument

    Low overridden

    A browser was forced to load an extension using a special command line argument, an uncommon method. overridden

    A browser extension was installed or loaded in an uncommon way by a LOLBIN process

    Low overridden

    A browser extension was installed or loaded in an uncommon way. overridden

    A browser extension was installed or loaded in an uncommon way by an uncommon process

    Low overridden

    A browser extension was installed or loaded in an uncommon way. overridden

  • Browser Extension Installed Informational 1 variation

    Uncommon browser extension installed.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Software Extensions: Browser Extensions (T1176.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Chromium Extensions Analytics
    Attacker's goals: Establish persistent access to victim systems through Chromium-based browser, steal sensitive data such credentials, cookies hijacking and financial data.
    Investigative actions: Investigate the extension and how it was loaded. Check if this extension is currently present at the relevant extensions web store by looking up for its extension ID.

    Variations

    Uncommon Browser Extension Installed

    Low overridden

    Uncommon browser extension installed. overridden

  • Chrome Extension Installed By User Informational Identity Threat Module

    A Chrome extension was installed or updated by a Google Workspace user.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003)
    ATT&CK techniques: Supply Chain Compromise: Compromise Software Dependencies and Development Tools (T1195.001) Software Extensions: Browser Extensions (T1176.001)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: Adversaries may leverage browser extensions installation to gain Initial Access and Persistence, enabling them to intercept credentials and hijack active web sessions.
    Investigative actions: Review the extension installed, it's OAuth scopes, reputation and permissions. Analyze subsequent network traffic from the user's device or browser for connections to newly registered domains. Investigate the source IP and identity for previous malicious activity or anomalies.
  • Rare access to known advertising domains Informational 2 variations

    The endpoint performed many connections to unpopular advertising domains.This could indicate the presence of adware on the endpoint.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Day
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011) Persistence (TA0003)
    ATT&CK techniques: Application Layer Protocol (T1071) Software Extensions: Browser Extensions (T1176.001)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent
    Attacker's goals: Causing the user to view excessive advertising content.
    Investigative actions: Investigate the infected machine and search for suspicious browser extensions, see if changes were made to the homepage or if the browser is slower than usual, check whether sites that do not have ads usually, display ads when accessed from the possibly infected endpoint. Search for suspicious redirections or proxy configuration on the infected machine. Search for a C&C communication.

    Variations

    Rare access to known advertising domains from a Rare User Agent

    Informational overridden

    The endpoint performed many connections to unpopular advertising domains from a rare user agent.This could indicate the presence of adware on the endpoint. overridden

    Suspicious Rare access to known advertising domains

    Low overridden

    The endpoint performed many connections to unpopular advertising domains.This could indicate the presence of adware on the endpoint. overridden

  • Uncommon browser extension loaded Informational

    An uncommon browser extension was loaded by a Chromium-based browser.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Persistence (TA0003)
    ATT&CK techniques: Software Extensions: Browser Extensions (T1176.001)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Chromium Extensions Analytics
    Attacker's goals: Gain persistency on a machine and steal sensitive browsing data.
    Investigative actions: Investigate the extension and how it was loaded. Check if this extension is currently present at the relevant extensions web store by looking up for its extension ID.