cscli scenarios install sigmahq/proc_creation_win_browsers_chromium_susp_load_extension1type: trigger2name: sigmahq/proc_creation_win_browsers_chromium_susp_load_extension3description: |4 Detects a suspicious process spawning a Chromium based browser process with the 'load-extension' flag to start an instance with a custom extension5filter: |6 (evt.Meta.service == 'sysmon' && evt.Parsed.EventID == '1') && ((evt.Parsed.ParentImage endsWith '\\cmd.exe' || evt.Parsed.ParentImage endsWith '\\cscript.exe' || evt.Parsed.ParentImage endsWith '\\mshta.exe' || evt.Parsed.ParentImage endsWith '\\powershell.exe' || evt.Parsed.ParentImage endsWith '\\pwsh.exe' || evt.Parsed.ParentImage endsWith '\\regsvr32.exe' || evt.Parsed.ParentImage endsWith '\\rundll32.exe' || evt.Parsed.ParentImage endsWith '\\wscript.exe') && (evt.Parsed.Image endsWith '\\brave.exe' || evt.Parsed.Image endsWith '\\chrome.exe' || evt.Parsed.Image endsWith '\\msedge.exe' || evt.Parsed.Image endsWith '\\opera.exe' || evt.Parsed.Image endsWith '\\vivaldi.exe') && evt.Parsed.CommandLine contains '--load-extension=')7blackhole: 2m8#status: test9labels:10 service: windows11 confidence: 112 spoofable: 013 classification:14 - attack.t11761516 label: "Suspicious Chromium Browser Instance Executed With Custom Extension"17 behavior : "windows:audit"18 remediation: false1920scope:21 type: ParentProcessId22 expression: evt.Parsed.ParentProcessId2324