This rule aims to identify suspicious behaviors associated with the execution of Chromium-based browser instances that are spawned with the '--load-extension' command-line flag. The rule specifically detects when a child process is started by a permissible parent executable like cmd.exe, PowerShell, or other Windows scripting hosts, indicating a potentially malicious use of a custom extension within browsers such as Chrome or Brave. Custom extensions can be exploited to manipulate browser behavior and facilitate advanced threats such as data exfiltration or credential theft. The rule is applicable in environments where monitoring of process creation is implemented, and it helps highlight attempts at browser exploitation through the use of unauthorized extensions.