feat: update to the extension rule

SigmaHQ · Nov 28, 2023 · ea8fe72 · ea8fe72
1 parent ebd2e41
commit ea8fe72
Show file tree

Hide file tree

Showing 2 changed files with 49 additions and 8 deletions.
diff --git a/rules/windows/process_creation/proc_creation_win_browsers_chromium_load_extension.yml b/rules/windows/process_creation/proc_creation_win_browsers_chromium_load_extension.yml
@@ -0,0 +1,33 @@
+title: Chromium Browser Instance Executed With Custom Extension
+id: 88d6e60c-759d-4ac1-a447-c0f1466c2d21
+related:
+    - id: 27ba3207-dd30-4812-abbf-5d20c57d474e
+      type: similar
+status: experimental
+description: Detects a chromium based browser process with the 'load-extension' flag to start a instance with custom extension
+references:
+    - https://redcanary.com/blog/chromeloader/
+    - https://emkc.org/s/RJjuLa
+    - https://www.mandiant.com/resources/blog/lnk-between-browsers
+author: Aedan Russell, frack113, X__Junior (Nextron Systems)
+date: 2022/06/19
+modified: 2023/11/28
+tags:
+    - attack.persistence
+    - attack.t1176
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith:
+            - '\brave.exe'
+            - '\chrome.exe'
+            - '\msedge.exe'
+            - '\opera.exe'
+            - '\vivaldi.exe'
+        CommandLine|contains: '--load-extension='
+    condition: selection
+falsepositives:
+    - Usage of Chrome Extensions in testing tools such as BurpSuite will trigger this alert
+level: medium
diff --git a/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml b/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml
@@ -1,14 +1,17 @@
-title: Suspicious Chromium Browser Instance Executed With Custom Extensions
+title: Suspicious Chromium Browser Instance Executed With Custom Extension
 id: 27ba3207-dd30-4812-abbf-5d20c57d474e
+related:
+    - id: 88d6e60c-759d-4ac1-a447-c0f1466c2d21
+      type: similar
 status: experimental
-description: Detects a suspicious process spawning a Chromium based browser process with the 'load-extension' flag to start a instance with custom extensions
+description: Detects a suspicious process spawning a Chromium based browser process with the 'load-extension' flag to start a instance with custom extension
 references:
     - https://redcanary.com/blog/chromeloader/
     - https://emkc.org/s/RJjuLa
     - https://www.mandiant.com/resources/blog/lnk-between-browsers
 author: Aedan Russell, frack113, X__Junior (Nextron Systems)
 date: 2022/06/19
-modified: 2023/11/27
+modified: 2023/11/28
 tags:
     - attack.persistence
     - attack.t1176
@@ -17,6 +20,15 @@ logsource:
     product: windows
 detection:
     selection:
+        ParentImage|endswith:
+            - '\cmd.exe'
+            - '\cscript.exe'
+            - '\mshta.exe'
+            - '\powershell.exe'
+            - '\pwsh.exe'
+            - '\regsvr32.exe'
+            - '\rundll32.exe'
+            - '\wscript.exe'
         Image|endswith:
             - '\brave.exe'
             - '\chrome.exe'
@@ -26,9 +38,5 @@ detection:
         CommandLine|contains: '--load-extension='
     condition: selection
 falsepositives:
-    - Usage of Chrome Extensions in testing tools such as BurpSuite will trigger this alert
-fields:
-    - ParentImage
-    - Image
-    - CommandLine
+    - Unknown
 level: high