security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7be96ec64dc12ed3d2849bb408e4eecfde40dc02
sigma-rules/rules/windows/persistence_browser_extension_install.toml
T

79 lines
2.1 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2023/08/22"
integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows"]
maturity = "production"
updated_date = "2024/10/15"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Elastic"]
description = """
Identifies the install of browser extensions. Malicious browser extensions can be installed via app store downloads
masquerading as legitimate extensions, social engineering, or by an adversary that has already compromised a system.
"""
from = "now-9m"
index = [
"logs-endpoint.events.file-*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-windows.sysmon_operational-*",
"winlogbeat-*",
"endgame-*"
]
language = "eql"
license = "Elastic License v2"
name = "Browser Extension Install"
risk_score = 21
rule_id = "f97504ac-1053-498f-aeaa-c6d01e76b379"
severity = "low"
tags = [
"Domain: Endpoint",
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Persistence",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame",
"Data Source: SentinelOne",
"Data Source: Sysmon",
"Data Source: Microsoft Defender for Endpoint",
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
file where host.os.type == "windows" and event.type : "creation" and
(
/* Firefox-Based Browsers */
(
file.name : "*.xpi" and
file.path : "?:\\Users\\*\\AppData\\Roaming\\*\\Profiles\\*\\Extensions\\*.xpi" and
not
(
process.name : "firefox.exe" and
file.name : ("langpack-*@firefox.mozilla.org.xpi", "*@dictionaries.addons.mozilla.org.xpi")
)
) or
/* Chromium-Based Browsers */
(
file.name : "*.crx" and
file.path : "?:\\Users\\*\\AppData\\Local\\*\\*\\User Data\\Webstore Downloads\\*"
)
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1176"
name = "Browser Extensions"
reference = "https://attack.mitre.org/techniques/T1176/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
Reference in New Issue View Git Blame Copy Permalink