This detection rule identifies instances where Google Chrome is launched with the command-line flag `--load-extension`, which enables the loading of unpacked or custom extensions. Such behavior is typically concerning as it may signify attempts to circumvent enterprise policies regarding Chrome extensions, installation of malicious extensions, or loading of harmful components that could jeopardize the security of users' browsers. By monitoring for the use of this flag, organizations can detect unauthorized extension usage, prevent potential malware persistence strategies, and enforce compliance with security policies that govern browser use. Operational data from various sources, including Sysmon, Windows Event Log Security, and CrowdStrike, are leveraged for this rule, with specific searches built to extract relevant process events from the datamodel. The rule is aimed at enhancing endpoint security by alerting on suspicious Chrome usage indicative of potential security risks.