Description
Adversaries may abuse software extensions to establish persistent access to victim systems. Software extensions are modular components that enhance or customize the functionality of software applications, including web browsers, Integrated Development Environments (IDEs), and other platforms.(Citation: Chrome Extension C2 Malware)(Citation: Abramovsky VSCode Security) Extensions are typically installed via official marketplaces, app stores, or manually loaded by users, and they often inherit the permissions and access levels of the host application.
Malicious extensions can be introduced through various methods, including social engineering, compromised marketplaces, or direct installation by users or by adversaries who have already gained access to a system. Malicious extensions can be named similarly or identically to benign extensions in marketplaces. Security mechanisms in extension marketplaces may be insufficient to detect malicious components, allowing adversaries to bypass automated scanners or exploit trust established during the installation process. Adversaries may also abuse benign extensions to achieve their objectives, such as using legitimate functionality to tunnel data or bypass security controls.
The modular nature of extensions and their integration with host applications make them an attractive target for adversaries seeking to exploit trusted software ecosystems. Detection can be challenging due to the inherent trust placed in extensions during installation and their ability to blend into normal application workflows.
Platforms
Sub-Techniques (2)
Mitigations (5)
Limit Software InstallationM1033
Only install extensions from trusted sources that can be verified.
AuditM1047
Ensure extensions that are installed are the intended ones, as many malicious extensions may masquerade as legitimate ones.
User TrainingM1017
Train users to minimize extension use, and to only install trusted extensions.
Update SoftwareM1051
Ensure operating systems and software are using the most current version.
Execution PreventionM1038
Set an extension allow or deny list as appropriate for your security policy.
References
- Abramovsky, O. (2023, May 16). VSCode Security: Malicious Extensions Detected- More Than 45,000 Downloads- PII Exposed, and Backdoors Enabled. Retrieved March 30, 2025.
- Chris Ross. (2019, February 8). No Place Like Chrome. Retrieved April 27, 2021.
- Kjaer, M. (2016, July 18). Malware in the browser: how you might get hacked by a Chrome extension. Retrieved September 12, 2024.
Frequently Asked Questions
What is T1176 (Software Extensions)?
T1176 is a MITRE ATT&CK technique named 'Software Extensions'. It belongs to the Persistence tactic(s). Adversaries may abuse software extensions to establish persistent access to victim systems. Software extensions are modular components that enhance or customize the functionality of software applicati...
How can T1176 be detected?
Detection of T1176 (Software Extensions) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1176?
There are 5 documented mitigations for T1176. Key mitigations include: Limit Software Installation, Audit, User Training, Update Software, Execution Prevention.
Which threat groups use T1176?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.