From 1287ff77f8745db49f7ac7ab2c1a457c0a1540fe Mon Sep 17 00:00:00 2001
From: Josh <joshnck@gmail.com>
Date: Mon, 27 Nov 2023 11:21:08 -0500
Subject: [PATCH 1/4] Modified rule to widen scope

Scope for this rule is too narrow. By limiting the parent processes, you're missing out on important chrome browser extensions. For example, Silver's CursedChrome would pass right through as would BurpSuite's chrome extension.

Instead the ParentImage is moved to the `fields` as it is interesting and important for the analyst, but should not narrow the scope of the search.
---
 ...in_browsers_chromium_susp_load_extension.yml | 17 ++++++-----------
 1 file changed, 6 insertions(+), 11 deletions(-)

diff --git a/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml b/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml
index 9088ee6df31..155fc6a514e 100644
--- a/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml
+++ b/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml
@@ -8,7 +8,7 @@ references:
     - https://www.mandiant.com/resources/blog/lnk-between-browsers
 author: Aedan Russell, frack113, X__Junior (Nextron Systems)
 date: 2022/06/19
-modified: 2023/09/28
+modified: 2023/11/27
 tags:
     - attack.persistence
     - attack.t1176
@@ -17,15 +17,6 @@ logsource:
     product: windows
 detection:
     selection:
-        ParentImage|endswith:
-            - '\cmd.exe'
-            - '\cscript.exe'
-            - '\mshta.exe'
-            - '\powershell.exe'
-            - '\pwsh.exe'
-            - '\regsvr32.exe'
-            - '\rundll32.exe'
-            - '\wscript.exe'
         Image|endswith:
             - '\brave.exe'
             - '\chrome.exe'
@@ -35,5 +26,9 @@ detection:
         CommandLine|contains: '--load-extension='
     condition: selection
 falsepositives:
-    - Unknown
+    - Usage of Chrome Extensions in pentesting tools - BurpSuite will trigger this alert
+fields:
+    - ParentImage
+    - Image
+    - CommandLine
 level: high

From ebd2e41a34910c2bbf0cbd64d7c609722e4c762c Mon Sep 17 00:00:00 2001
From: Josh <joshnck@gmail.com>
Date: Mon, 27 Nov 2023 11:29:59 -0500
Subject: [PATCH 2/4] Update
 proc_creation_win_browsers_chromium_susp_load_extension.yml

-pen
---
 .../proc_creation_win_browsers_chromium_susp_load_extension.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml b/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml
index 155fc6a514e..68fcd51a9f5 100644
--- a/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml
+++ b/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml
@@ -26,7 +26,7 @@ detection:
         CommandLine|contains: '--load-extension='
     condition: selection
 falsepositives:
-    - Usage of Chrome Extensions in pentesting tools - BurpSuite will trigger this alert
+    - Usage of Chrome Extensions in testing tools such as BurpSuite will trigger this alert
 fields:
     - ParentImage
     - Image

From ea8fe72f8c51b7e46c09317a852dece604d0f2ab Mon Sep 17 00:00:00 2001
From: nasbench <8741929+nasbench@users.noreply.github.com>
Date: Tue, 28 Nov 2023 10:37:05 +0100
Subject: [PATCH 3/4] feat: update to the extension rule

---
 ...n_win_browsers_chromium_load_extension.yml | 33 +++++++++++++++++++
 ..._browsers_chromium_susp_load_extension.yml | 24 +++++++++-----
 2 files changed, 49 insertions(+), 8 deletions(-)
 create mode 100644 rules/windows/process_creation/proc_creation_win_browsers_chromium_load_extension.yml

diff --git a/rules/windows/process_creation/proc_creation_win_browsers_chromium_load_extension.yml b/rules/windows/process_creation/proc_creation_win_browsers_chromium_load_extension.yml
new file mode 100644
index 00000000000..3cbd5efb295
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_browsers_chromium_load_extension.yml
@@ -0,0 +1,33 @@
+title: Chromium Browser Instance Executed With Custom Extension
+id: 88d6e60c-759d-4ac1-a447-c0f1466c2d21
+related:
+    - id: 27ba3207-dd30-4812-abbf-5d20c57d474e
+      type: similar
+status: experimental
+description: Detects a chromium based browser process with the 'load-extension' flag to start a instance with custom extension
+references:
+    - https://redcanary.com/blog/chromeloader/
+    - https://emkc.org/s/RJjuLa
+    - https://www.mandiant.com/resources/blog/lnk-between-browsers
+author: Aedan Russell, frack113, X__Junior (Nextron Systems)
+date: 2022/06/19
+modified: 2023/11/28
+tags:
+    - attack.persistence
+    - attack.t1176
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith:
+            - '\brave.exe'
+            - '\chrome.exe'
+            - '\msedge.exe'
+            - '\opera.exe'
+            - '\vivaldi.exe'
+        CommandLine|contains: '--load-extension='
+    condition: selection
+falsepositives:
+    - Usage of Chrome Extensions in testing tools such as BurpSuite will trigger this alert
+level: medium
diff --git a/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml b/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml
index 68fcd51a9f5..c3999711930 100644
--- a/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml
+++ b/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml
@@ -1,14 +1,17 @@
-title: Suspicious Chromium Browser Instance Executed With Custom Extensions
+title: Suspicious Chromium Browser Instance Executed With Custom Extension
 id: 27ba3207-dd30-4812-abbf-5d20c57d474e
+related:
+    - id: 88d6e60c-759d-4ac1-a447-c0f1466c2d21
+      type: similar
 status: experimental
-description: Detects a suspicious process spawning a Chromium based browser process with the 'load-extension' flag to start a instance with custom extensions
+description: Detects a suspicious process spawning a Chromium based browser process with the 'load-extension' flag to start a instance with custom extension
 references:
     - https://redcanary.com/blog/chromeloader/
     - https://emkc.org/s/RJjuLa
     - https://www.mandiant.com/resources/blog/lnk-between-browsers
 author: Aedan Russell, frack113, X__Junior (Nextron Systems)
 date: 2022/06/19
-modified: 2023/11/27
+modified: 2023/11/28
 tags:
     - attack.persistence
     - attack.t1176
@@ -17,6 +20,15 @@ logsource:
     product: windows
 detection:
     selection:
+        ParentImage|endswith:
+            - '\cmd.exe'
+            - '\cscript.exe'
+            - '\mshta.exe'
+            - '\powershell.exe'
+            - '\pwsh.exe'
+            - '\regsvr32.exe'
+            - '\rundll32.exe'
+            - '\wscript.exe'
         Image|endswith:
             - '\brave.exe'
             - '\chrome.exe'
@@ -26,9 +38,5 @@ detection:
         CommandLine|contains: '--load-extension='
     condition: selection
 falsepositives:
-    - Usage of Chrome Extensions in testing tools such as BurpSuite will trigger this alert
-fields:
-    - ParentImage
-    - Image
-    - CommandLine
+    - Unknown
 level: high

From b08f0135fc6f90c2299de83acfc62dd4c7b0394e Mon Sep 17 00:00:00 2001
From: phantinuss <79651203+phantinuss@users.noreply.github.com>
Date: Tue, 28 Nov 2023 10:48:08 +0100
Subject: [PATCH 4/4] fix: minor

---
 .../proc_creation_win_browsers_chromium_load_extension.yml      | 2 +-
 .../proc_creation_win_browsers_chromium_susp_load_extension.yml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/windows/process_creation/proc_creation_win_browsers_chromium_load_extension.yml b/rules/windows/process_creation/proc_creation_win_browsers_chromium_load_extension.yml
index 3cbd5efb295..8319387bda8 100644
--- a/rules/windows/process_creation/proc_creation_win_browsers_chromium_load_extension.yml
+++ b/rules/windows/process_creation/proc_creation_win_browsers_chromium_load_extension.yml
@@ -4,7 +4,7 @@ related:
     - id: 27ba3207-dd30-4812-abbf-5d20c57d474e
       type: similar
 status: experimental
-description: Detects a chromium based browser process with the 'load-extension' flag to start a instance with custom extension
+description: Detects a Chromium based browser process with the 'load-extension' flag to start a instance with a custom extension
 references:
     - https://redcanary.com/blog/chromeloader/
     - https://emkc.org/s/RJjuLa
diff --git a/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml b/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml
index c3999711930..3fbed6e5eaf 100644
--- a/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml
+++ b/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml
@@ -4,7 +4,7 @@ related:
     - id: 88d6e60c-759d-4ac1-a447-c0f1466c2d21
       type: similar
 status: experimental
-description: Detects a suspicious process spawning a Chromium based browser process with the 'load-extension' flag to start a instance with custom extension
+description: Detects a suspicious process spawning a Chromium based browser process with the 'load-extension' flag to start an instance with a custom extension
 references:
     - https://redcanary.com/blog/chromeloader/
     - https://emkc.org/s/RJjuLa