Browser Process Spawned from an Unusual Parent

  1[metadata]
  2creation_date = "2025/08/27"
  3integration = ["windows", "endpoint", "system", "m365_defender", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2026/04/22"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies instances where a browser is launched with remote debugging, headless automation, or minimal arguments from
 11an unusual parent process. This may indicate an attempt to broker or tamper with a browser session for credential theft.
 12"""
 13from = "now-9m"
 14index = [
 15    "endgame-*",
 16    "logs-endpoint.events.process-*",
 17    "logs-m365_defender.event-*",
 18    "logs-sentinel_one_cloud_funnel.*",
 19    "logs-system.security*",
 20    "logs-windows.forwarded*",
 21    "logs-windows.sysmon_operational-*",
 22    "winlogbeat-*",
 23]
 24language = "eql"
 25license = "Elastic License v2"
 26name = "Browser Process Spawned from an Unusual Parent"
 27references = ["https://www.elastic.co/security-labs/katz-and-mouse-game"]
 28risk_score = 73
 29rule_id = "46b01bb5-cff2-4a00-9f87-c041d9eab554"
 30severity = "high"
 31tags = [
 32    "Domain: Endpoint",
 33    "OS: Windows",
 34    "Use Case: Threat Detection",
 35    "Tactic: Credential Access",
 36    "Data Source: Elastic Endgame",
 37    "Data Source: Elastic Defend",
 38    "Data Source: Windows Security Event Logs",
 39    "Data Source: Microsoft Defender XDR",
 40    "Data Source: Sysmon",
 41    "Data Source: SentinelOne",
 42    "Resources: Investigation Guide",
 43]
 44timestamp_override = "event.ingested"
 45type = "eql"
 46
 47query = '''
 48process where host.os.type == "windows" and event.type == "start" and
 49  process.name : ("chrome.exe", "msedge.exe") and
 50  process.parent.executable != null and
 51  (
 52    process.command_line : (
 53            "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\"",
 54            "\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\"",
 55            "\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --headless --disable-logging --log-level=3 --v=0",
 56            "\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --headless --log-level=3",
 57            "\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --headless",
 58            "\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --remote-debugging-port=922? --profile-directory=\"Default\"*",
 59            "\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --headless --restore-last-session --remote-debugging-port=45452*"
 60    ) or
 61    (process.args : "--remote-debugging-port=922?" and process.args : "--window-position=-*,-*")
 62  ) and
 63  not process.parent.executable :
 64                         ("C:\\Windows\\explorer.exe",
 65                          "C:\\Program Files (x86)\\*.exe",
 66                          "C:\\Program Files\\*.exe",
 67                          "C:\\Windows\\System32\\rdpinit.exe",
 68                          "C:\\Windows\\System32\\sihost.exe",
 69                          "C:\\Windows\\System32\\RuntimeBroker.exe",
 70                          "C:\\Windows\\System32\\SECOCL64.exe")
 71'''
 72
 73note = """## Triage and analysis
 74
 75### Investigating Browser Process Spawned from an Unusual Parent
 76
 77#### Possible investigation steps
 78
 79- What browser-brokering path did the alert capture?
 80  - Focus: `process.command_line`, `process.parent.executable`, `process.parent.command_line`, and `process.Ext.ancestry`.
 81  - Implication: escalate with one corroborator when Chrome or Edge starts with high-risk arguments such as "--remote-debugging-port", "--user-data-dir", "--profile-directory", "--headless", offscreen window positioning, or bare browser execution from an unexplained shell, script host, Office app, archive tool, LOLBin, or remote-admin parent; lower suspicion only when a stable signed automation, RPA, support, or test-runner parent uses the same bounded debug or profile behavior for the same user-host cohort.
 82
 83- Is the browser and launcher identity consistent with a signed automation toolchain?
 84  - Focus: `process.executable`, `process.code_signature.subject_name`, `process.code_signature.trusted`, and `process.parent.code_signature.subject_name`.
 85  - Implication: escalate when the browser or launcher is unsigned, user-writable, mismatched to its product identity, or signed by an unexpected publisher; identity looks cleaner when Chrome or Edge and the launcher signer match the same recognized toolchain, but identity alone does not clear the browser-brokering behavior.
 86
 87- Does the user, host, and session context fit the launch?
 88  - Focus: `user.id`, `user.name`, `host.id`, `process.Ext.session_info.logon_type`, and `process.Ext.authentication_id`. $investigate_4
 89  - Hint: if Windows Security logs are available, pivot `process.Ext.authentication_id` plus `host.id` to `winlog.event_data.TargetLogonId` for 4624 session origin, `source.ip`, and `winlog.event_data.AuthenticationPackageName`; search `winlog.event_data.SubjectLogonId` separately for 4648 explicit-credential context. Missing auth telemetry is unresolved, not benign.
 90  - Implication: escalate when the browser starts from a service, scheduled, remote, or explicit-credential session that does not match the user-host role; lower suspicion when the session, parent, and user-host cohort all fit the same recognized automation pattern.
 91
 92- Do network events show DevTools brokering or unexpected egress?
 93  - Focus: if network telemetry is available, review browser- and parent-scoped connection events on `host.id` for `process.entity_id` and `process.parent.entity_id`: `source.ip`, `destination.ip`, and `destination.port`. $investigate_2
 94  - Hint: separately review DNS events for `dns.question.name`; DNS events do not carry connection-side `source.ip` or `destination.ip`. The linked transform includes browser and parent `process.entity_id` values to catch browser egress and parent-side DevTools client connections. Missing network telemetry is unresolved, not benign.
 95  - Implication: escalate when a parent or non-browser process connects over loopback to the browser debugging port, or when the browser reaches rare public destinations unrelated to the same automation pattern; lower suspicion when traffic stays inside recognized vendor, proxy, test, or local automation paths for that parent and command line.
 96
 97- Do file events show browser-store collection or staged output?
 98  - Focus: if file telemetry is available, review file events on `host.id` for `process.entity_id` and `process.parent.entity_id`: `file.path` and `file.Ext.original.path`, especially copied or renamed browser-store artifacts such as "Login Data", "Cookies", "Local State", or "LocalPrefs.json". $investigate_3
 99  - Hint: if entity IDs are unavailable, pivot with `host.id`, process IDs, and a tight alert window; absence of file telemetry does not close the alert.
100  - Implication: escalate when the process writes copied browser databases, archives, exported tokens, or renamed outputs in user-writable paths; lower suspicion when file activity stays inside the recognized automation cache or download path and no browser-store artifacts are staged.
101
102- Is the same browser-brokering pattern present beyond this process?
103  - Focus: if local evidence is suspicious or unresolved, review recent alerts for the same `user.id` and then the same `host.id`.
104  - Hint: user-scoped related alerts: $investigate_0
105  - Hint: host-scoped related alerts: $investigate_1
106  - Implication: escalate scope when the same parent, command-line pattern, destination, or browser-store artifact repeats across hosts or users; recurrence of one exact automation pattern supports exception review but does not override contradictory telemetry.
107
108- What disposition does the evidence support?
109  - Focus: behavior path, browser and launcher identity, session context, DevTools or egress evidence, browser-store artifacts, and scope.
110  - Implication: escalate when an unexpected parent drives a browser debug interface, hidden automation, or profile targeting with suspicious session, network, file, or scope evidence; close only when alert-local process evidence and available session, network, file, and scope evidence all bind to one recognized automation, support, or test workflow; preserve and escalate when evidence is mixed or visibility is incomplete.
111
112### False positive analysis
113
114- Browser automation, QA, RPA, monitoring, enterprise management, remote-support, and security-testing workflows can legitimately launch Chrome or Edge with debug or headless behavior only when the signals converge: a stable signed launcher, bounded debug/profile arguments, the expected `user.id` and `host.id` cohort, and no parent-side DevTools client or browser-store staging outside that toolchain. When optional network or file telemetry is available, require it to fit the same workflow. For security testing, also confirm the activity is contained to the intended hosts and users.
115- Before creating an exception, validate that `process.parent.executable`, `process.executable`, `process.code_signature.subject_name`, `process.command_line`, `user.id`, and `host.id` recur across prior alerts from this rule. Avoid exceptions on `process.name`, browser install paths, or remote-debugging text alone because those match both benign automation and credential-theft launchers.
116
117### Response and remediation
118
119- If confirmed benign, reverse temporary containment and document the evidence that proved the workflow: browser and launcher identity, parent command line, user-host scope, and any corroborating destinations or file artifacts. Create an exception only after the same confirmed pattern recurs across prior alerts from this rule.
120- If suspicious but unconfirmed, export the alert, process tree, browser and parent command lines, relevant `process.entity_id` values, debugging port or profile arguments, and any collected file or network evidence before containment. Preserve copied browser stores, staged archives, dropped tools, and relevant browser-session state; apply reversible containment first, such as browser-session revocation, heightened monitoring on the affected `user.id` and `host.id`, or temporary destination controls.
121- If confirmed malicious, record volatile browser-session state and preserve staged artifacts before terminating the browser or parent. Then isolate the host through endpoint response or equivalent controls when the host role can tolerate interruption. Block confirmed malicious destinations and hashes for the parent launcher, staged tool, or tampered browser binary; reset exposed credentials and revoke sessions when browser-store or cookie-theft evidence is present.
122- After containment, scope related users and hosts for the same `process.parent.executable`, `process.command_line`, browser-store artifact, or confirmed destination pattern from network review. Remove only the unauthorized extensions, staged artifacts, or launcher components identified during investigation. Close the entry path by disabling the unauthorized launcher or restoring browser policy if it was changed.
123"""
124
125setup = """## Setup
126
127This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.
128
129Setup instructions: https://ela.st/install-elastic-defend
130
131### Additional data sources
132
133This rule also supports the following third-party data sources. For setup instructions, refer to the links below:
134
135- [Microsoft Defender XDR](https://ela.st/m365-defender)
136- [SentinelOne Cloud Funnel](https://ela.st/sentinel-one-cloud-funnel)
137- [Sysmon Event ID 1 - Process Creation](https://ela.st/sysmon-event-1-setup)
138- [Windows Process Creation Logs](https://ela.st/audit-process-creation)
139"""
140
141[rule.investigation_fields]
142field_names = [
143    "@timestamp",
144    "host.id",
145    "user.name",
146    "user.id",
147    "process.entity_id",
148    "process.executable",
149    "process.command_line",
150    "process.parent.entity_id",
151    "process.parent.executable",
152    "process.parent.command_line",
153    "process.code_signature.subject_name",
154    "process.code_signature.trusted",
155    "process.parent.code_signature.subject_name",
156    "process.Ext.authentication_id",
157    "process.Ext.session_info.logon_type",
158]
159
160[[transform.investigate]]
161label = "Alerts associated with the user"
162description = ""
163providers = [
164  [
165    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
166    { excluded = false, field = "user.id", queryType = "phrase", value = "{{user.id}}", valueType = "string" }
167  ]
168]
169relativeFrom = "now-48h/h"
170relativeTo = "now"
171
172[[transform.investigate]]
173label = "Alerts associated with the host"
174description = ""
175providers = [
176  [
177    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
178    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" }
179  ]
180]
181relativeFrom = "now-48h/h"
182relativeTo = "now"
183
184[[transform.investigate]]
185label = "Network activity for browser and parent processes"
186description = ""
187providers = [
188  [
189    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
190    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
191    { excluded = false, field = "event.category", queryType = "phrase", value = "network", valueType = "string" }
192  ],
193  [
194    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
195    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.parent.entity_id}}", valueType = "string" },
196    { excluded = false, field = "event.category", queryType = "phrase", value = "network", valueType = "string" }
197  ]
198]
199relativeFrom = "now-1h"
200relativeTo = "now"
201
202[[transform.investigate]]
203label = "File activity for browser and parent processes"
204description = ""
205providers = [
206  [
207    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
208    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
209    { excluded = false, field = "event.category", queryType = "phrase", value = "file", valueType = "string" }
210  ],
211  [
212    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
213    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.parent.entity_id}}", valueType = "string" },
214    { excluded = false, field = "event.category", queryType = "phrase", value = "file", valueType = "string" }
215  ]
216]
217relativeFrom = "now-1h"
218relativeTo = "now"
219
220[[transform.investigate]]
221label = "Authentication events for the linked session"
222description = ""
223providers = [
224  [
225    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
226    { excluded = false, field = "winlog.event_data.TargetLogonId", queryType = "phrase", value = "{{process.Ext.authentication_id}}", valueType = "string" },
227    { excluded = false, field = "event.code", queryType = "phrase", value = "4624", valueType = "string" }
228  ]
229]
230relativeFrom = "now-48h/h"
231relativeTo = "now"
232
233[[rule.threat]]
234framework = "MITRE ATT&CK"
235
236[[rule.threat.technique]]
237id = "T1539"
238name = "Steal Web Session Cookie"
239reference = "https://attack.mitre.org/techniques/T1539/"
240
241[[rule.threat.technique]]
242id = "T1555"
243name = "Credentials from Password Stores"
244reference = "https://attack.mitre.org/techniques/T1555/"
245
246[[rule.threat.technique.subtechnique]]
247id = "T1555.003"
248name = "Credentials from Web Browsers"
249reference = "https://attack.mitre.org/techniques/T1555/003/"
250
251[rule.threat.tactic]
252id = "TA0006"
253name = "Credential Access"
254reference = "https://attack.mitre.org/tactics/TA0006/"
255
256[[rule.threat]]
257framework = "MITRE ATT&CK"
258
259[[rule.threat.technique]]
260id = "T1185"
261name = "Browser Session Hijacking"
262reference = "https://attack.mitre.org/techniques/T1185/"
263
264[rule.threat.tactic]
265id = "TA0009"
266name = "Collection"
267reference = "https://attack.mitre.org/tactics/TA0009/"