← Back to SOC feed Coverage →

Suspicious Chromium Browser Instance Executed With Custom Extension

sigma HIGH SigmaHQ
T1176.001
imProcessCreate
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-06T23:00:00Z · Confidence: medium

Hunt Hypothesis

Detects a suspicious process spawning a Chromium based browser process with the ‘load-extension’ flag to start an instance with a custom extension

Detection Rule

Sigma (Original)

title: Suspicious Chromium Browser Instance Executed With Custom Extension
id: 27ba3207-dd30-4812-abbf-5d20c57d474e
related:
    - id: 88d6e60c-759d-4ac1-a447-c0f1466c2d21
      type: similar
status: test
description: Detects a suspicious process spawning a Chromium based browser process with the 'load-extension' flag to start an instance with a custom extension
references:
    - https://redcanary.com/blog/chromeloader/
    - https://emkc.org/s/RJjuLa
    - https://www.mandiant.com/resources/blog/lnk-between-browsers
author: Aedan Russell, frack113, X__Junior (Nextron Systems)
date: 2022-06-19
modified: 2023-11-28
tags:
    - attack.persistence
    - attack.t1176.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\cmd.exe'
            - '\cscript.exe'
            - '\mshta.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
            - '\wscript.exe'
        Image|endswith:
            - '\brave.exe'
            - '\chrome.exe'
            - '\msedge.exe'
            - '\opera.exe'
            - '\vivaldi.exe'
        CommandLine|contains: '--load-extension='
    condition: selection
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension/info.yml

KQL (Azure Sentinel)

imProcessCreate
| where ((ParentProcessName endswith "\\cmd.exe" or ParentProcessName endswith "\\cscript.exe" or ParentProcessName endswith "\\mshta.exe" or ParentProcessName endswith "\\powershell.exe" or ParentProcessName endswith "\\pwsh.exe" or ParentProcessName endswith "\\regsvr32.exe" or ParentProcessName endswith "\\rundll32.exe" or ParentProcessName endswith "\\wscript.exe") or (ActingProcessName endswith "\\cmd.exe" or ActingProcessName endswith "\\cscript.exe" or ActingProcessName endswith "\\mshta.exe" or ActingProcessName endswith "\\powershell.exe" or ActingProcessName endswith "\\pwsh.exe" or ActingProcessName endswith "\\regsvr32.exe" or ActingProcessName endswith "\\rundll32.exe" or ActingProcessName endswith "\\wscript.exe")) and (TargetProcessName endswith "\\brave.exe" or TargetProcessName endswith "\\chrome.exe" or TargetProcessName endswith "\\msedge.exe" or TargetProcessName endswith "\\opera.exe" or TargetProcessName endswith "\\vivaldi.exe") and TargetProcessCommandLine contains "--load-extension="

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml