Potential Data Stealing Via Chromium Headless Debugging

calendar Aug 14, 2025 · attack.credential-access attack.collection attack.t1185 attack.t1564.003  ·
Share on: linkedin copy

Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control

Sigma rule (View on GitHub)

 1title: Potential Data Stealing Via Chromium Headless Debugging
 2id: 3e8207c5-fcd2-4ea6-9418-15d45b4890e4
 3related:
 4    - id: b3d34dc5-2efd-4ae3-845f-8ec14921f449
 5      type: derived
 6status: test
 7description: Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control
 8references:
 9    - https://github.com/defaultnamehere/cookie_crimes/
10    - https://mango.pdf.zone/stealing-chrome-cookies-without-a-password
11    - https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/
12    - https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/
13author: Nasreddine Bencherchali (Nextron Systems)
14date: 2022-12-23
15tags:
16    - attack.credential-access
17    - attack.collection
18    - attack.t1185
19    - attack.t1564.003
20logsource:
21    category: process_creation
22    product: windows
23detection:
24    selection:
25        CommandLine|contains|all:
26            - '--remote-debugging-' # Covers: --remote-debugging-address, --remote-debugging-port, --remote-debugging-socket-name, --remote-debugging-pipe....etc
27            - '--user-data-dir'
28            - '--headless'
29    condition: selection
30falsepositives:
31    - Unknown
32level: high

References

Related rules

to-top