Browser Process Spawned from an Unusual Parent

  1[metadata]
  2creation_date = "2025/08/27"
  3integration = ["windows", "endpoint", "system", "m365_defender", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2025/08/27"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies instances where an unusual process spawns a chrome browser child process. This behavior could be related to malware
 11stealing browser information.
 12"""
 13from = "now-9m"
 14index = [
 15    "endgame-*",
 16    "logs-endpoint.events.process-*",
 17    "logs-m365_defender.event-*",
 18    "logs-sentinel_one_cloud_funnel.*",
 19    "logs-system.security*",
 20    "logs-windows.forwarded*",
 21    "logs-windows.sysmon_operational-*",
 22    "winlogbeat-*",
 23]
 24language = "eql"
 25license = "Elastic License v2"
 26name = "Browser Process Spawned from an Unusual Parent"
 27note = """## Triage and analysis
 28
 29> **Disclaimer**:
 30> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 31
 32### Investigating Browser Process Spawned from an Unusual Parent
 33
 34### Possible investigation steps
 35
 36- Review the process execution details to confirm that a web browser process (e.g., chrome.exe, msedge.exe, firefox.exe) has an unusual or suspicious parent process. Focus on the process.parent.name, process.name, and process.args fields.
 37- Examine the command line arguments for signs of remote debugging flags (e.g., --remote-debugging-port, --remote-debugging-pipe) or injected DLLs that could indicate attempts to hijack browser sessions.
 38- Check whether the parent process is a scripting host (e.g., wscript.exe, cscript.exe), system utility, or unexpected binary (e.g., cmd.exe, rundll32.exe, powershell.exe) rather than the legitimate browser updater or system launcher.
 39- Investigate if the suspicious parent process has a known reputation or hash linked to malware or credential-stealing tools by correlating with threat intelligence sources.
 40- Look for additional related processes spawned by the browser that might indicate malicious activity, such as network connections to unusual external IPs or data exfiltration attempts.
 41- Review authentication logs to identify if any credential theft attempts occurred shortly after the suspicious browser activity, focusing on abnormal logins, failed authentications, or credential access patterns.
 42- Cross-reference with endpoint telemetry (e.g., Defender for Endpoint, Sysmon) to identify whether this event is part of a broader intrusion attempt involving code injection or persistence mechanisms.
 43
 44### False positive analysis
 45
 46- Certain enterprise management or testing tools may launch browsers with remote debugging enabled for automation purposes. Identify and document such legitimate tools and processes.
 47- Development environments may use browser remote debugging features during legitimate software testing. Exclude known dev/test machines or users from triggering alerts in production environments.
 48- Security testing frameworks or internal red team activities may use similar techniques. Coordinate with authorized security teams to whitelist scheduled exercises.
 49- Browser extensions or third-party plugins could sometimes spawn processes that appear unusual. Validate if the behavior aligns with known, legitimate extensions.
 50- Automated IT scripts or orchestration tools might start browsers in debugging mode for monitoring purposes. Whitelist these cases based on process path, signature, or command-line arguments.
 51
 52### Response and remediation
 53
 54- Isolate the affected endpoint from the network to prevent potential credential theft or data exfiltration.
 55- Terminate any suspicious processes identified in the alert, including both the browser and its anomalous parent process.
 56- Collect forensic artifacts (process memory, browser profiles, injected modules) for further investigation and potential IOCs.
 57- Reset credentials for accounts that may have been exposed through the compromised browser session.
 58- Deploy updated endpoint protection signatures and enable stricter application control policies to prevent browsers from being launched by untrusted processes.
 59- Enhance monitoring for browser processes launched with debugging flags or code injection indicators across the environment.
 60- Escalate to the SOC or IR team to determine whether this event is part of a larger credential theft campaign or linked to other lateral movement activity."""
 61references = ["https://www.elastic.co/security-labs/katz-and-mouse-game"]
 62risk_score = 73
 63rule_id = "46b01bb5-cff2-4a00-9f87-c041d9eab554"
 64severity = "high"
 65tags = [
 66    "Domain: Endpoint",
 67    "OS: Windows",
 68    "Use Case: Threat Detection",
 69    "Tactic: Credential Access",
 70    "Data Source: Elastic Endgame",
 71    "Data Source: Elastic Defend",
 72    "Data Source: Windows Security Event Logs",
 73    "Data Source: Microsoft Defender for Endpoint",
 74    "Data Source: Sysmon",
 75    "Data Source: SentinelOne",
 76    "Resources: Investigation Guide",
 77]
 78timestamp_override = "event.ingested"
 79type = "eql"
 80
 81query = '''
 82process where host.os.type == "windows" and event.type == "start" and
 83  process.name : ("chrome.exe", "msedge.exe") and
 84  process.parent.executable != null and process.command_line != null and
 85  (
 86  process.command_line :
 87           ("\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\"",
 88            "\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\"",
 89            "\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --headless --disable-logging --log-level=3 --v=0",
 90            "\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --headless --log-level=3",
 91            "\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --headless",
 92            "\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --remote-debugging-port=922? --profile-directory=\"Default\"*",
 93            "\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --headless --restore-last-session --remote-debugging-port=45452*") or
 94
 95  (process.args : "--remote-debugging-port=922?" and process.args : "--window-position=-*,-*")
 96   ) and
 97  not process.parent.executable :
 98                         ("C:\\Windows\\explorer.exe",
 99                          "C:\\Program Files (x86)\\*.exe",
100                          "C:\\Program Files\\*.exe",
101                          "C:\\Windows\\System32\\rdpinit.exe",
102                          "C:\\Windows\\System32\\sihost.exe",
103                          "C:\\Windows\\System32\\RuntimeBroker.exe",
104                          "C:\\Windows\\System32\\SECOCL64.exe")
105'''
106
107
108
109[[rule.threat]]
110framework = "MITRE ATT&CK"
111[[rule.threat.technique]]
112id = "T1555"
113name = "Credentials from Password Stores"
114reference = "https://attack.mitre.org/techniques/T1555/"
115[[rule.threat.technique.subtechnique]]
116id = "T1555.003"
117name = "Credentials from Web Browsers"
118reference = "https://attack.mitre.org/techniques/T1555/003/"
119
120[rule.threat.tactic]
121id = "TA0006"
122name = "Credential Access"
123reference = "https://attack.mitre.org/tactics/TA0006/"