DET0092: Detection of Malicious or Unauthorized Software Extensions
This detection strategy matters because unauthorized or malicious software extensions can turn trusted user applications into persistence points. For leade...
Analyst context for executives and security teams
This detection strategy matters because unauthorized or malicious software extensions can turn trusted user applications into persistence points. For leaders, the practical issue is not only whether endpoint tools see malware, but whether the organization can account for extensions installed in browsers, IDEs, and similar software that users rely on every day.
Executive priority
Prioritize this as a control-validation topic for persistence risk across Linux, macOS, and Windows environments where software extensions are allowed. Executives should ask whether teams maintain extension inventory, enforce approval where feasible, and can produce audit-ready evidence showing how unauthorized extensions are identified, reviewed, and removed. This is especially relevant to incident response scoping because persistence through extensions may survive normal application use and can be missed if teams only review traditional startup locations or installed programs.
Technical view
The supplied ATT&CK object is a detection strategy for malicious or unauthorized software extensions and is linked to T1176 Software Extensions under the persistence tactic. SOC and IR teams should validate visibility into extension installation, loading, update, and configuration changes for relevant applications, especially web browsers and IDEs where local policy permits extensions. Detection engineering should focus on distinguishing approved business extensions from newly installed, manually loaded, unusual, or policy-violating extensions, then correlate those findings with user, host, and application activity during persistence investigations.
Likely telemetry
- Endpoint inventory of installed software extensions and associated applications
- Application or browser extension installation and update records where available
- Host configuration and policy state for extension allowlists, blocklists, or manual loading
- File system evidence for extension directories and manifests on Linux, macOS, and Windows
- User and device context, including account, hostname, operating system, and application version
Detection direction
- Validate that extension inventory exists for the applications in scope; lack of centralized extension visibility is the main blind spot for this strategy.
- Baseline approved extensions by business function and tune alerts around new, rare, unsigned, manually loaded, or policy-disallowed extensions.
- Correlate extension changes with persistence investigations rather than treating them as standalone malware detections.
- Account for false positives from legitimate developer, accessibility, productivity, and security extensions, especially in IDE-heavy or engineering environments.
- Confirm coverage separately across Linux, macOS, and Windows because the related ATT&CK technique spans all three platforms.
Mitigation priorities
- Define which extension-capable applications are in scope and assign ownership for extension governance.
- Implement approval, allowlisting, or restriction policies where supported by the application and operating environment.
- Maintain an inventory of approved extensions and review exceptions periodically.
- Include extension checks in incident response collection and persistence eradication procedures.
- Use compliance evidence such as policy settings, inventory reports, and exception records to demonstrate control operation.
Analyst notes and limits
The official detection strategy object does not include a description, detection text, tactics, or platforms. The practical guidance here is derived conservatively from the object name and its relationship to ATT&CK technique T1176 Software Extensions, which is associated with persistence on Linux, macOS, and Windows.
This take does not identify specific products, extension paths, indicators, adversaries, or confirmed exploitation because those details were not supplied in the official fields or relationship context. Local application inventory and policy architecture are required to determine actual coverage.
Detection of Malicious or Unauthorized Software Extensions
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1176 | Software Extensions | This object detects Software Extensions. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | d09a6c7ab904… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0092Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.