Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0044: Detecting Malicious Browser Extensions Across Platforms

This detection strategy matters because malicious or unauthorized browser extensions can turn a common productivity tool into a persistence mechanism on us...

EnterpriseDET0044Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This detection strategy matters because malicious or unauthorized browser extensions can turn a common productivity tool into a persistence mechanism on user workstations. Even though the ATT&CK detection object does not provide detailed detection logic, its relationship to Browser Extensions (T1176.001) points leaders to a practical question: can the organization see, govern, and investigate extensions across Windows, macOS, and Linux endpoints before they become an incident-response blind spot?

Executive priority

Prioritize this as an endpoint, identity, and compliance-readiness issue rather than only a browser hygiene issue. Browser extensions may persist through normal user activity and can be installed from local files, custom URLs, or browser app stores. Security leaders should ask whether extension inventory, policy enforcement, exception handling, and SOC investigation evidence are consistent across supported desktop platforms. This is especially relevant for managed detection, incident response readiness, audit evidence around endpoint control, and risk decisions for users with privileged or sensitive access.

Technical view

For SOC and detection engineering teams, validate coverage around the related ATT&CK technique T1176.001, Browser Extensions, under the persistence tactic. Because the official detection strategy text is not provided, build validation around evidence collection and investigation workflows rather than assuming a specific analytic. Confirm whether endpoint and browser-management data can show extension installation, modification, source, identifier, version, permissions where available, user context, browser profile path, and host platform across Linux, Windows, and macOS. IR teams should be able to compare installed extensions against approved baselines and correlate suspicious extension changes with user, process, file, and authentication activity.

Likely telemetry

  • Browser extension inventory and configuration data from managed browsers or endpoint management tooling
  • Endpoint file-system evidence for browser profile and extension directories
  • Process and command execution telemetry related to browser activity and local extension installation paths
  • User and device context from endpoint, identity, and asset inventory systems
  • Change records or policy state for approved, blocked, or force-installed extensions

Detection direction

  • Validate that extension inventory is collected across the platforms supported by the related technique: Linux, Windows, and macOS.
  • Tune for changes from an approved baseline, including newly installed extensions, unexpected versions, unusual installation sources, or extensions appearing in sensitive user populations.
  • Correlate extension changes with persistence-oriented investigation context, such as recurring browser-related artifacts, user logons, endpoint activity, and asset criticality.
  • Account for false positives from legitimate business extensions, developer testing, browser synchronization, and administrator-approved deployments.
  • Identify blind spots where unmanaged browsers, personal profiles, local file installations, custom URLs, or incomplete endpoint coverage prevent reliable extension visibility.

Mitigation priorities

  • Establish and maintain an approved browser-extension baseline for managed endpoints and high-risk user groups.
  • Use browser or endpoint management controls to restrict, approve, block, or force-install extensions where operationally appropriate.
  • Ensure endpoint inventory and configuration compliance processes include browser extension state, not just installed applications.
  • Define incident-response procedures for reviewing extension source, scope, affected users, and removal or containment actions.
  • Use compliance evidence to show that extension governance is monitored, exceptions are documented, and coverage gaps are tracked.
Analyst notes and limits

The supplied ATT&CK object is a detection strategy named Detecting Malicious Browser Extensions Across Platforms, external ID DET0044, and it detects T1176.001 Browser Extensions. The object itself has no official description, detection text, tactics, or platforms specified. The practical guidance here is therefore derived from the relationship to the Browser Extensions technique, which is associated with persistence and Linux, Windows, and macOS.

This take cannot assert specific analytics, data components, detection efficacy, active exploitation, adversary use, or vendor coverage because those details are not present in the supplied STIX fields. Local browser choices, endpoint management maturity, logging depth, and policy design will determine actual coverage.

Official MITRE ATT&CK definition

Detecting Malicious Browser Extensions Across Platforms

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1176.001 Browser Extensions Sub-technique This object detects Browser Extensions.
Relationship explorer

All related ATT&CK context

detects · Technique T1176.001: Browser Extensions Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
92673d3a3ce7ed26...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 92673d3a3ce7…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0044
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use