KQL Search

Query Details

HomeAI ToolsDevice Query

Possible Malicious Browser Extension Loaded

Query

DeviceProcessEvents
| where FileName  has_any('chrome.exe','msedge.exe') 
and ProcessCommandLine contains "--load-extension"

Explanation

Show me all events related to processes with file names "chrome.exe" or "msedge.exe" where the process command line contains "--load-extension".

Details

Ali Hussein profile picture

Ali Hussein

Released: March 20, 2024

Tables

DeviceProcessEvents

Keywords

Device,Process,Events,FileName,ProcessCommandLine

Operators

wherehas_anycontains

Actions