AN0123: Analytic 0123
Installation of a new browser extension followed by suspicious file writes or outbound network connections to untrusted domains by the browser process.
Analyst context for executives and security teams
This analytic matters because browser extensions can become a pathway for data exposure, persistence-like user-level activity, or unwanted network communication. The practical defensive value is not just knowing an extension was installed, but validating whether the browser soon began writing suspicious files or connecting to untrusted domains. For leaders, this is a control and visibility question: can the organization prove it monitors risky browser behavior on Windows endpoints after extension changes?
Executive priority
Prioritize this as an endpoint and user-risk visibility check for Windows environments. Executives and security leaders should ask whether browser extension activity is governed, logged, and reviewable; whether SOC teams can correlate extension installation with follow-on file and network behavior; and whether incident responders can quickly determine which users, browsers, files, and destinations were involved. This supports operational resilience, compliance evidence around endpoint monitoring, and practical risk reduction for unmanaged or lightly governed browser add-ons.
Technical view
The supplied analytic describes a Windows detection pattern: a new browser extension installation followed by suspicious file writes or outbound network connections to untrusted domains by the browser process. SOC and detection teams should validate whether endpoint telemetry can identify extension installation events, browser process file-write activity, and browser-initiated outbound connections, then correlate those events in a short post-installation window. Because no official detection logic or ATT&CK tactic is supplied, implementation should be environment-specific and tested against normal browser update, extension update, and user browsing behavior.
Likely telemetry
- Windows endpoint process telemetry for browser processes
- Browser extension installation or extension inventory/change events
- File creation or file write events attributed to browser processes
- Outbound network connection logs attributed to browser processes
- DNS or proxy logs for domains contacted after extension installation
Detection direction
- Validate that extension installation can be observed directly or inferred reliably on Windows endpoints.
- Correlate new extension installation with subsequent suspicious file writes by the same browser process.
- Correlate new extension installation with outbound browser connections to domains not already trusted or expected in the environment.
- Tune carefully for legitimate extension installs, browser synchronization, browser updates, and common enterprise-approved extensions to reduce false positives.
- Use local allowlists, proxy categories, domain reputation, and business-approved extension lists to define 'untrusted' in a defensible way.
Mitigation priorities
- Maintain an approved browser extension policy and review exceptions regularly.
- Restrict or govern extension installation where business requirements allow.
- Ensure Windows endpoint logging captures browser process file and network behavior needed for post-install correlation.
- Use proxy, DNS, or network controls to manage access to untrusted domains.
- Create incident response procedures for triaging suspicious extension-related activity, including user, host, extension, file, and destination review.
Analyst notes and limits
This is a detection analytic object, not a technique description. The value is in correlation: extension installation alone may be benign, and browser network activity alone is common. The higher-signal behavior is the sequence of a new extension followed by suspicious file writes or outbound connections to untrusted domains by the browser process.
The official object provides no detection logic, no tactic mapping, no relationships, and only Windows as the platform. Definitions of suspicious file writes and untrusted domains must come from local policy, telemetry quality, and environmental baselines. This take does not imply active exploitation, attribution, or guaranteed detection coverage.
Analytic 0123
Installation of a new browser extension followed by suspicious file writes or outbound network connections to untrusted domains by the browser process.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 60eb773c9680… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0123Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.