AN0125: Analytic 0125
Manual or scripted installation of Chrome extensions using user scripts or config files, followed by unexpected network connections from browser processes.
Analyst context for executives and security teams
This analytic matters because browser extensions can become a business-risk pathway when they are installed outside normal administration and then generate unexpected network traffic. For Linux environments using Chrome, leaders should treat this as a visibility and governance question: can the organization tell when browser configuration changes occur, who or what made them, and whether browser network activity is consistent with expected business use?
Executive priority
Prioritize this where Linux workstations, developer systems, administrator workstations, or other high-trust endpoints use Chrome. The decision value is in validating endpoint and browser governance, audit evidence for software/configuration control, and SOC readiness to investigate suspicious browser-originated network activity. Because no tactic or relationship context is supplied, this should be handled as a defensive coverage validation rather than as evidence of a specific campaign or impact scenario.
Technical view
For SOC and detection teams, validate whether Linux endpoint telemetry can show Chrome extension installation or configuration changes made through user scripts or configuration files, and whether network telemetry can attribute unexpected outbound connections to browser processes. Since the ATT&CK object provides no detection logic, teams should build or tune detections around the combination of browser configuration change evidence plus anomalous Chrome process network behavior, then baseline expected enterprise extension management activity to reduce false positives.
Likely telemetry
- Linux endpoint file and configuration change monitoring related to Chrome user profiles and browser configuration files
- Process execution telemetry showing scripts or tools modifying browser-related files or settings
- Browser process network connection telemetry, including destination, timing, and process attribution
- Enterprise browser or endpoint management logs showing authorized extension deployment activity
- Proxy, DNS, firewall, or EDR network events that can distinguish Chrome-originated traffic from other processes
Detection direction
- Correlate Chrome extension/configuration changes with subsequent unexpected outbound connections from Chrome browser processes.
- Establish a baseline for approved Chrome extensions and sanctioned deployment mechanisms on Linux systems.
- Tune out expected administrative or enterprise-managed extension updates while retaining visibility into user-level or script-driven changes.
- Validate that telemetry preserves process-to-network attribution; network-only logs may not be sufficient to identify the browser process origin.
- Prioritize review on high-value Linux endpoints where browser activity intersects with privileged access, development workflows, or sensitive data access.
Mitigation priorities
- Define and document approved Chrome extension installation and management practices for Linux endpoints.
- Use configuration management or endpoint management controls to enforce authorized browser settings where available.
- Limit unmanaged script-based changes to browser configuration through least privilege and change control practices.
- Ensure endpoint, DNS/proxy, and network monitoring are retained long enough to support incident response reconstruction.
- Include browser extension governance and Linux endpoint coverage in compliance and security control validation activities.
Analyst notes and limits
This is a detection analytic object, not a technique description. The strongest use is as a coverage test: can defenders observe suspicious Chrome extension installation behavior on Linux and connect it to unusual browser network activity? Local environment baselines are essential because legitimate enterprise extension deployment and browser updates can resemble parts of this behavior.
The supplied ATT&CK fields do not include tactics, detection logic, mitigations, relationships, attribution, or active exploitation context. The object is limited to Linux and Chrome-related behavior as described; conclusions about other browsers, operating systems, malware families, campaigns, or impact are not supported by the provided data.
Analytic 0125
Manual or scripted installation of Chrome extensions using user scripts or config files, followed by unexpected network connections from browser processes.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 3ef5710e2d36… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0125Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.