Potential Data Stealing Via Chromium Headless Debugging

Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control

Sigma rule (View on GitHub)

 1title: Potential Data Stealing Via Chromium Headless Debugging
 2id: 3e8207c5-fcd2-4ea6-9418-15d45b4890e4
 3related:
 4    - id: b3d34dc5-2efd-4ae3-845f-8ec14921f449
 5      type: derived
 6status: test
 7description: Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control
 8references:
 9    - https://github.com/defaultnamehere/cookie_crimes/
10    - https://mango.pdf.zone/stealing-chrome-cookies-without-a-password
11    - https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/
12    - https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/
13author: Nasreddine Bencherchali (Nextron Systems)
14date: 2022-12-23
15tags:
16    - attack.credential-access
17    - attack.t1185
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection:
23        CommandLine|contains|all:
24            - '--remote-debugging-' # Covers: --remote-debugging-address, --remote-debugging-port, --remote-debugging-socket-name, --remote-debugging-pipe....etc
25            - '--user-data-dir'
26            - '--headless'
27    condition: selection
28falsepositives:
29    - Unknown
30level: high

References

Related rules

to-top