Techniques
Sample rules
Chromium Browser Instance Executed With Custom Extension
- source: sigma
- technicques:
- t1176
Description
Detects a Chromium based browser process with the ’load-extension’ flag to start a instance with a custom extension
Detection logic
condition: selection
selection:
CommandLine|contains: --load-extension=
Image|endswith:
- \brave.exe
- \chrome.exe
- \msedge.exe
- \opera.exe
- \vivaldi.exe