Potential Data Stealing Via Chromium Headless Debugging
Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control
Sigma rule (View on GitHub)
1title: Potential Data Stealing Via Chromium Headless Debugging
2id: 3e8207c5-fcd2-4ea6-9418-15d45b4890e4
3related:
4 - id: b3d34dc5-2efd-4ae3-845f-8ec14921f449
5 type: derived
6status: test
7description: Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control
8references:
9 - https://github.com/defaultnamehere/cookie_crimes/
10 - https://mango.pdf.zone/stealing-chrome-cookies-without-a-password
11 - https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/
12 - https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/
13author: Nasreddine Bencherchali (Nextron Systems)
14date: 2022-12-23
15tags:
16 - attack.credential-access
17 - attack.collection
18 - attack.t1185
19logsource:
20 category: process_creation
21 product: windows
22detection:
23 selection:
24 CommandLine|contains|all:
25 - '--remote-debugging-' # Covers: --remote-debugging-address, --remote-debugging-port, --remote-debugging-socket-name, --remote-debugging-pipe....etc
26 - '--user-data-dir'
27 - '--headless'
28 condition: selection
29falsepositives:
30 - Unknown
31level: high
References
Related rules
- Browser Started with Remote Debugging
- OpenCanary - MSSQL Login Attempt Via SQLAuth
- OpenCanary - MSSQL Login Attempt Via Windows Authentication
- OpenCanary - MySQL Login Attempt
- OpenCanary - REDIS Action Command Attempt