title: Browser Extension Installation
description: Lazy quyer for detecting the staging of xpi or crx
  extension packages for installation within Chrome and Firefox based browsers.
author: keyboardcrunch
date: 10/10/2020
modified: 05/12/2020
mitre:
   tactic: Persistence
   technique: T1176
   subtechnique: 
operating_system: windows
query: ( FileFullName RegExp "\bWebstore Downloads\b.*\.(crx)$" OR FileFullName RegExp
  "\bstaged\b.*\.(xpi)$" ) AND EventType = "File Creation"
false_positives: 
tags: