Potential Data Stealing Via Chromium Headless Debugging

 1title: Potential Data Stealing Via Chromium Headless Debugging
 2id: 3e8207c5-fcd2-4ea6-9418-15d45b4890e4
 3related:
 4    - id: b3d34dc5-2efd-4ae3-845f-8ec14921f449
 5      type: derived
 6status: test
 7description: Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control
 8references:
 9    - https://github.com/defaultnamehere/cookie_crimes/
10    - https://mango.pdf.zone/stealing-chrome-cookies-without-a-password
11    - https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/
12    - https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/
13author: Nasreddine Bencherchali (Nextron Systems)
14date: 2022-12-23
15tags:
16    - attack.credential-access
17    - attack.t1185
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection:
23        CommandLine|contains|all:
24            - '--remote-debugging-' # Covers: --remote-debugging-address, --remote-debugging-port, --remote-debugging-socket-name, --remote-debugging-pipe....etc
25            - '--user-data-dir'
26            - '--headless'
27    condition: selection
28falsepositives:
29    - Unknown
30level: high

References

• GitHub - defaultnamehere/cookie_crimes: Read local Chrome cookies without root or decrypting

  

  Read local Chrome cookies without root or decrypting - defaultnamehere/cookie_crimes

  
  Read More

• Stealing Chrome cookies without a password

  

  Stealing Chrome Cookies without root or password on OSX, Linux, and Windows via Remote Debugging Protocol.

  
  Read More

• Cookie Crimes and the new Microsoft Edge Browser · Embrace The Red

  

  Revisiting Cookie Crimes In 2018 @mangopdf described “Cookie Crimes”, which is great research around Chrome’s remote debugging feature that allows adversaries and malware to gain access to cookies ...

  
  Read More

• Post-Exploitation: Abusing Chrome's debugging feature to observe and control browsing sessions remotely · Embrace The Red

  

  Chrome’s remote debugging feature enables malware post-exploitation to gain access to cookies. Root privileges are not required. This is a pretty well-known and commonly used adversarial technique ...

  
  Read More

Related rules

• Browser Started with Remote Debugging
• AADInternals PowerShell Cmdlets Execution - ProccessCreation
• AADInternals PowerShell Cmdlets Execution - PsScript
• ADCS Certificate Template Configuration Vulnerability
• ADCS Certificate Template Configuration Vulnerability with Risky EKU