Potential Data Stealing Via Chromium Headless Debugging

calendar Oct 23, 2025 · attack.defense-evasion attack.credential-access attack.collection attack.t1185 attack.t1564.003  ·
Share on: linkedin copy

Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control

Sigma rule (View on GitHub)

 1title: Potential Data Stealing Via Chromium Headless Debugging
 2id: 3e8207c5-fcd2-4ea6-9418-15d45b4890e4
 3related:
 4    - id: b3d34dc5-2efd-4ae3-845f-8ec14921f449
 5      type: derived
 6status: test
 7description: Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control
 8references:
 9    - https://github.com/defaultnamehere/cookie_crimes/
10    - https://mango.pdf.zone/stealing-chrome-cookies-without-a-password
11    - https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/
12    - https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/
13author: Nasreddine Bencherchali (Nextron Systems)
14date: 2022-12-23
15tags:
16    - attack.defense-evasion
17    - attack.credential-access
18    - attack.collection
19    - attack.t1185
20    - attack.t1564.003
21logsource:
22    category: process_creation
23    product: windows
24detection:
25    selection:
26        CommandLine|contains|all:
27            - '--remote-debugging-' # Covers: --remote-debugging-address, --remote-debugging-port, --remote-debugging-socket-name, --remote-debugging-pipe....etc
28            - '--user-data-dir'
29            - '--headless'
30    condition: selection
31falsepositives:
32    - Unknown
33level: high

References

Related rules

to-top