https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-pro-browser-extensions/m-p/1248479#M9142 <P>Has anyone ever configured their environment to detect on unauthorized or unsupported browser extensions? Or conduct a threat hunt based on known facts?</P> <P>&nbsp;</P> <P>We've seen some slip through the cracks and I know Cortex doesn't natively detect abused or malicious extensions. Any XQL ideas out there perhaps?&nbsp;</P> Wed, 18 Feb 2026 12:27:42 GMT CraigV123 2026-02-18T12:27:42Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-pro-browser-extensions/m-p/1248479#M9142 <P>Has anyone ever configured their environment to detect on unauthorized or unsupported browser extensions? Or conduct a threat hunt based on known facts?</P> <P>&nbsp;</P> <P>We've seen some slip through the cracks and I know Cortex doesn't natively detect abused or malicious extensions. Any XQL ideas out there perhaps?&nbsp;</P> Wed, 18 Feb 2026 12:27:42 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-pro-browser-extensions/m-p/1248479#M9142 CraigV123 2026-02-18T12:27:42Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-pro-browser-extensions/m-p/1248482#M9144 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/112301">@CraigV123</a>&nbsp;,</P> <P>&nbsp;</P> <P>Greetings for the day.</P> <P>&nbsp;</P> <P data-start="0" data-end="213">I would like to inform you that Cortex XDR does not natively provide a dashboard inventory or direct blocking of browser extensions by ID/name, you can configure detection and conduct threat hunts using XQL and existing behavioral modules.</P> <H4 data-start="220" data-end="252">&nbsp;</H4> <H4 data-start="220" data-end="252">1. Native Product Limitations:</H4> <P data-start="254" data-end="533">-Cortex XDR operates primarily at the Operating System (OS) level. Because browser extensions run within the browser’s internal sandbox environment and do not typically create independent OS processes, the agent lacks native visibility into the internal list of loaded extensions.</P> <P data-start="254" data-end="533">&nbsp;</P> <P data-start="535" data-end="725">-Direct management or blocking of specific extension IDs is a recognized product limitation, and several feature requests (CXDR-I-1134 and CXDR-I-146) exist to address this in future updates.</P> <HR data-start="727" data-end="730" /> <H4 data-start="732" data-end="762">2. XQL Threat Hunting Ideas:</H4> <P data-start="764" data-end="914">You can hunt for unauthorized extensions by searching for file activity in standard extension directories or extracting extension IDs from file paths.</P> <H5 data-start="916" data-end="956">A. Searching for Known Malicious IDs:</H5> <P data-start="958" data-end="1079">If you have a list of malicious or unauthorized extension IDs, you can search for their presence in the file system logs.</P> <DIV class="contain-inline-size rounded-2xl corner-superellipse/1.1 relative bg-token-sidebar-surface-primary"> <DIV class="overflow-y-auto p-4" dir="ltr"><CODE class="whitespace-pre! language-sql"><SPAN>dataset <SPAN class="hljs-operator">=</SPAN> xdr_data <SPAN class="hljs-operator">|</SPAN> <SPAN class="hljs-keyword">filter</SPAN> file_path <SPAN class="hljs-keyword">contains</SPAN> "Chrome\\User Data" <SPAN class="hljs-keyword">and</SPAN> file_path <SPAN class="hljs-keyword">contains</SPAN> "[INSERT_EXTENSION_ID_HERE]" <SPAN class="hljs-operator">|</SPAN> dedup agent_hostname</SPAN></CODE></DIV> <DIV class="overflow-y-auto p-4" dir="ltr"><CODE class="whitespace-pre! language-sql"></CODE></DIV> </DIV> <H5 data-start="1240" data-end="1285">B. Extracting All Installed Extension IDs:</H5> <P data-start="1287" data-end="1435">You can use regular expressions to extract 32-character extension IDs from file path events to create a list of what is running in your environment.</P> <P data-start="1287" data-end="1435">&nbsp;</P> <DIV class="contain-inline-size rounded-2xl corner-superellipse/1.1 relative bg-token-sidebar-surface-primary"> <DIV class="overflow-y-auto p-4" dir="ltr"><CODE class="whitespace-pre! language-sql"><SPAN>config case_sensitive <SPAN class="hljs-operator">=</SPAN> <SPAN class="hljs-literal">false</SPAN> <SPAN class="hljs-operator">|</SPAN> dataset <SPAN class="hljs-operator">=</SPAN> xdr_data <SPAN class="hljs-operator">|</SPAN> <SPAN class="hljs-keyword">filter</SPAN> event_type <SPAN class="hljs-operator">=</SPAN> FILE <SPAN class="hljs-keyword">and</SPAN> event_sub_type <SPAN class="hljs-operator">!=</SPAN> FILE_REMOVE <SPAN class="hljs-operator">|</SPAN> <SPAN class="hljs-keyword">filter</SPAN> action_file_path <SPAN class="hljs-keyword">contains</SPAN> "Extensions" <SPAN class="hljs-operator">|</SPAN> <SPAN class="hljs-keyword">alter</SPAN> extension_id <SPAN class="hljs-operator">=</SPAN> arrayindex(regextract(action_file_path, "(\w{32})"), <SPAN class="hljs-number">0</SPAN>) <SPAN class="hljs-operator">|</SPAN> <SPAN class="hljs-keyword">filter</SPAN> extension_id <SPAN class="hljs-operator">!=</SPAN> <SPAN class="hljs-keyword">null</SPAN> <SPAN class="hljs-operator">|</SPAN> stats <SPAN class="hljs-built_in">count</SPAN>() <SPAN class="hljs-keyword">by</SPAN> agent_hostname, extension_id</SPAN></CODE></DIV> <DIV class="overflow-y-auto p-4" dir="ltr"><CODE class="whitespace-pre! language-sql"></CODE></DIV> </DIV> <H5 data-start="1771" data-end="1801">C. Locating Manifest Files:</H5> <P data-start="1803" data-end="2005">To identify the name and details of an extension found via hunting, you can use the File Search and Destroy feature or Live Terminal to locate the <CODE data-start="1950" data-end="1965">manifest.json</CODE> file associated with the identified ID:</P> <P>&nbsp;</P> <DIV class="contain-inline-size rounded-2xl corner-superellipse/1.1 relative bg-token-sidebar-surface-primary"> <DIV class="sticky top-[calc(var(--sticky-padding-top)+9*var(--spacing))]"> <DIV class="absolute end-0 bottom-0 flex h-9 items-center pe-2"> <DIV class="bg-token-bg-elevated-secondary text-token-text-secondary flex items-center gap-4 rounded-sm px-2 font-sans text-xs"><CODE class="whitespace-pre!">C:\Users\&lt;<SPAN class="hljs-keyword">user</SPAN>&gt;\AppData\<SPAN class="hljs-keyword">Local</SPAN>\Google\Chrome\<SPAN class="hljs-keyword">User</SPAN> Data\<SPAN class="hljs-keyword">Default</SPAN>\Extensions\&lt;extension_id&gt;\&lt;<SPAN class="hljs-keyword">version</SPAN>&gt;\manifest.json</CODE></DIV> </DIV> </DIV> </DIV> <P><LI-WRAPPER></LI-WRAPPER></P> <H4 data-start="2133" data-end="2185">3. Detection via Analytics and Behavioral Modules:</H4> <P data-start="2187" data-end="2284">Cortex XDR includes built-in mechanisms to catch extensions when they exhibit malicious behavior:</P> <UL data-start="2286" data-end="2732"> <LI data-start="2286" data-end="2524"> <P data-start="2288" data-end="2524"><STRONG data-start="2288" data-end="2309">Analytics Alerts:</STRONG> The platform can trigger the alert <EM data-start="2345" data-end="2411">"A browser extension was installed or loaded in an uncommon way"</EM> based on suspicious installation methods (e.g., loading via special command-line arguments or LOLBIN processes).</P> </LI> <LI data-start="2525" data-end="2732"> <P data-start="2527" data-end="2732"><STRONG data-start="2527" data-end="2566">Behavioral Threat Protection (BTP):</STRONG> If an extension attempts to drop a payload, steal credentials, or perform process injection, BTP and Anti-Exploit modules will block the action at the process level.</P> </LI> </UL> <HR data-start="2734" data-end="2737" /> <H4 data-start="2739" data-end="2776">4. Recommended Management Strategy:</H4> <P data-start="2778" data-end="2913">For proactive enforcement, it is recommended to supplement Cortex XDR with administrative tools designed for application-layer control:</P> <UL data-start="2915" data-end="3298" data-is-last-node="" data-is-only-node=""> <LI data-start="2915" data-end="3043"> <P data-start="2917" data-end="3043"><STRONG data-start="2917" data-end="2929">Windows:</STRONG> Use Group Policy Objects (GPO) to configure the <EM data-start="2978" data-end="3007">Extension Install Blocklist</EM> or <EM data-start="3011" data-end="3022">Allowlist</EM> for Chrome and Edge.</P> </LI> <LI data-start="3044" data-end="3140"> <P data-start="3046" data-end="3140"><STRONG data-start="3046" data-end="3056">macOS:</STRONG> Use Mobile Device Management (MDM) profiles to push browser configuration payloads.</P> </LI> <LI data-start="3141" data-end="3298" data-is-last-node=""> <P data-start="3143" data-end="3298" data-is-last-node=""><STRONG data-start="3143" data-end="3167">Enterprise Browsers:</STRONG> Consider solutions such as Prisma Access Browser, which provide granular application-layer visibility into extension environments.</P> </LI> </UL> <P>If you feel this has answered your query, please let us know by clicking like and on&nbsp;<STRONG>"mark this as a Solution".</STRONG></P> <P>&nbsp;</P> <P>Thanks &amp; Regards,<BR />S. Subashkar Sekar</P> Wed, 18 Feb 2026 13:58:25 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-pro-browser-extensions/m-p/1248482#M9144 susekar 2026-02-18T13:58:25Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-pro-browser-extensions/m-p/1248920#M9166 <P>To add to the excellent suggestions made by&nbsp;<SPAN class="UserName lia-user-name lia-user-rank-L4-Transporter lia-component-message-view-widget-author-username"><A id="link_14" class="lia-link-navigation lia-page-link lia-user-name-link" href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/241098" aria-label="View Profile of susekar" target="_blank"><SPAN class="">susekar</SPAN></A></SPAN></P> <P>&nbsp;</P> <P>I would suggest having a look at&nbsp;<A href="https://github.com/toborrm9/malicious_extension_sentry" target="_blank">https://github.com/toborrm9/malicious_extension_sentry</A></P> <P>Not saying you should run this tool, but have a look at this more specifically for a list of known malicious extensionID.</P> <P><A href="https://github.com/toborrm9/malicious_extension_sentry/blob/main/Malicious-Extensions.csv" target="_blank">https://github.com/toborrm9/malicious_extension_sentry/blob/main/Malicious-Extensions.csv</A></P> Tue, 24 Feb 2026 20:13:42 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-pro-browser-extensions/m-p/1248920#M9166 Alexandre_Jodoin 2026-02-24T20:13:42Z