This detection rule identifies instances where Chromium-based browser processes (such as Chrome, Brave, Opera, Vivaldi, and Edge) on Windows are launched with the '--disable-extensions' command-line argument. This behavior can signify various activities from legitimate automation and testing frameworks to potentially malicious actions aiming at bypassing security measures. Disabling browser extensions reduces visibility into activities carried out by the browser, which may be exploited by adversaries to conduct stealthy operations without interference from user-installed security solutions. The analytic leverages data from Sysmon, Windows security logs, and CrowdStrike to gather relevant process metadata. Analysts are advised to investigate the execution context, including the parent process and passed command-line arguments, to differentiate between benign and suspicious behavior, thus allowing for thorough threat validation.