Potential Data Stealing Via Chromium Headless Debugging
Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control
Sigma rule (View on GitHub)
1title: Potential Data Stealing Via Chromium Headless Debugging
2id: 3e8207c5-fcd2-4ea6-9418-15d45b4890e4
3related:
4 - id: b3d34dc5-2efd-4ae3-845f-8ec14921f449
5 type: derived
6status: test
7description: Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control
8references:
9 - https://github.com/defaultnamehere/cookie_crimes/
10 - https://mango.pdf.zone/stealing-chrome-cookies-without-a-password
11 - https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/
12 - https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/
13author: Nasreddine Bencherchali (Nextron Systems)
14date: 2022-12-23
15tags:
16 - attack.credential-access
17 - attack.collection
18 - attack.t1185
19 - attack.t1564.003
20logsource:
21 category: process_creation
22 product: windows
23detection:
24 selection:
25 CommandLine|contains|all:
26 - '--remote-debugging-' # Covers: --remote-debugging-address, --remote-debugging-port, --remote-debugging-socket-name, --remote-debugging-pipe....etc
27 - '--user-data-dir'
28 - '--headless'
29 condition: selection
30falsepositives:
31 - Unknown
32level: high
References
Related rules
- Browser Started with Remote Debugging
- Crash Dump Created By Operating System
- OpenCanary - MSSQL Login Attempt Via SQLAuth
- OpenCanary - MSSQL Login Attempt Via Windows Authentication
- OpenCanary - MySQL Login Attempt