rule M_Hunting_LNKEngine_LoadExtension_1 {
	meta:
		author = "Mandiant"
		description = "Hunting rule that looks for files containing strings pertaining to execution of Edge, Opera, Brave, Chrome to launch an extension."
		md5 = "30abf9ca1bb792eb5edd8b033c010979"
	strings:
		$r1 = /(chrome|msedge|opera|brave)[^\r\n]+--load-extension=/ ascii wide nocase
		$s1 = "chrome" ascii wide
		$s2 = "--load-extension=" ascii wide
	condition:
		(uint32(0) == 0x0000004c) and filesize < 50KB and all of ($s*) and $r1
}