This detection rule identifies the installation of browser extensions, which can serve as vectors for attacks by malicious actors. Browser extensions enhance functionality but can also be exploited when malicious extensions masquerade as legitimate. The detection is based on the creation of specific file types associated with Firefox (.xpi) and Chromium-based browsers (.crx) within typical user directories on Windows systems. The rule filters out known safe processes to reduce false positives. During investigations, analysts are guided to review file creation details, the processes associated with these files, and user activity to determine potential compromise. Additionally, the rule provides insights into managing false positives related to language packs and dictionary add-ons for Firefox, suggesting exclusions to improve detection accuracy. Response actions include quarantining affected systems, terminating suspicious processes, and conducting thorough scans to ensure no residual threats remain.