Detections
- ID: DT060
- Created: 12th June 2024
- Updated: 14th June 2024
- Platforms: Windows, Linux, MacOS,
- Contributor: The ITM Team
Chrome Browser Extensions
Google's Chrome browser stores details about any browser extensions that are installed, providing the user with additional functionality.
On Windows, this information is stored in the following location: C:\Users\[Username]\AppData\Local\Google\Chrome\User Data\Default\Extensions. Several directories will be listed, each one representing an installed extension. The directories and files inside, notably 'manifest.json', will contain information about the extension and its functionality. This can be combined with OSINT to learn more about the extension.
Sections
| ID | Name | Description |
|---|---|---|
| IF008 | Inappropriate Web Browsing | A subject accesses web content that is deemed inappropriate by the organization. |
| IF008.001 | Lawful Pornography | A subject accesses lawful pornographic material from an organization device, contravening internal policies on acceptable use of organization equipment. |
| IF008.002 | Unlawful Pornography | A subject accesses unlawful pornographic material from a organization device, contravening internal policies on acceptable use of organization equipment and potentially, the law. |
| IF008.003 | Terrorist Content | A subject accesses, possesses and/or distributes materials that advocate, promote, or incite unlawful acts of violence intended to further political, ideological or religious aims (terrorism). |
| IF008.004 | Extremist Content | A person accesses, possesses, or distributes materials that advocate, promote, or incite extreme ideological, political, or religious views, often encouraging violence or promoting prejudice against individuals or groups. |
| IF008.005 | Gambling | A subject accesses or participates in online gambling from a corporate device, contravening internal policies on acceptable use of company equipment. |
| IF008.006 | Inappropriate Usage of Social Media | A subject misuses social media platforms to engage in activities that violate organizational policies, compromise security, disclose confidential information, or damage the organization’s reputation. This includes sharing sensitive data, making unauthorized statements, engaging in harassment or bullying, or undertaking any actions that could risk the organization’s digital security or public image. |
| IF008.007 | Gaming | A subject accesses or participates in web-based online gaming from a corporate device, contravening internal policies on acceptable use of company equipment. |
| IF008.008 | Other Inappropriate Content | A subject accesses other inappropriate web content from a corporate device, contravening internal policies on acceptable use of company equipment. |
| PR003.004 | Installing Browser Extensions | A subject can install unapproved browser extensions that provide additional features and functionality to the browser. |
| ME003.004 | Browser Extensions | The organization permits the installation or execution of unapproved browser extensions, introducing a mechanism by which web-accessible systems, authentication workflows, or data transactions can be intercepted, altered, or exploited. These extensions often operate with elevated browser-level permissions, including access to cookies, session tokens, clipboard content, keystrokes, or internal URLs. In environments where business systems are browser-based and authenticated via SSO or tokenized workflows, this exposure enables passive surveillance or active manipulation of sensitive operations.
Unapproved extensions typically fall outside the control perimeter of traditional endpoint detection tools or access control frameworks. When extension installation is user-controlled or unmonitored, it creates a circumstance in which subjects - intentionally or otherwise - can introduce new capabilities for access, data exfiltration, or surveillance. This includes extensions sourced from public repositories, sideloaded packages, or internally developed tools lacking code review or deployment controls.
The presence of ungoverned extension capability constitutes a durable and distributed access mechanism, especially in cloud-forward or hybrid environments where browser access is the primary interface to organizational systems. In many cases, infringement is made possible not by elevated privilege in the operating system, but by the absence of control within the browser execution layer. |
| IF009.007 | Installation of Unapproved Browser Extensions | The subject installs browser extensions on a managed device that have not been approved, vetted, or distributed via sanctioned organizational channels. These may include productivity tools, automation agents, data scrapers, content manipulators, or AI-enhanced interfaces. Installations typically originate from GitHub repositories, private developer sites, shared file storage, or sideloading tools that bypass enterprise browser controls.
Unapproved extensions introduce unmonitored execution environments directly into the subject’s browser, enabling silent access to sensitive web applications, stored credentials, and internal content. Many request expansive permissions (e.g.,
This behavior violates Acceptable Use Policies and, depending on the extension’s behavior, may also constitute unauthorized access, data exfiltration, or malware introduction. Some extensions—particularly those hosted on GitHub or distributed through Telegram groups or developer forums—have been found to contain obfuscated payloads, embedded credential harvesters, or cryptojacking modules.
Examples include:
While subjects may initially claim curiosity or productivity needs, repeated installation of unapproved extensions—especially after prior enforcement—may indicate normalization of risky behavior or active circumvention of controls. |