File Download with Headless Browser
Detects execution of chromium based browser in headless mode using the "dump-dom" command line to download files
Sigma rule (View on GitHub)
1title: File Download with Headless Browser
2id: 0e8cfe08-02c9-4815-a2f8-0d157b7ed33e
3related:
4 - id: ef9dcfed-690c-4c5d-a9d1-482cd422225c
5 type: derived
6status: test
7description: Detects execution of chromium based browser in headless mode using the "dump-dom" command line to download files
8references:
9 - https://twitter.com/mrd0x/status/1478234484881436672?s=12
10 - https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html
11author: Sreeman, Florian Roth (Nextron Systems)
12date: 2022-01-04
13modified: 2025-10-07
14tags:
15 - attack.command-and-control
16 - attack.t1105
17 - attack.t1564.003
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection:
23 Image|endswith:
24 - '\brave.exe'
25 - '\chrome.exe'
26 - '\msedge.exe'
27 - '\opera.exe'
28 - '\vivaldi.exe'
29 CommandLine|contains|all:
30 - '--headless'
31 - 'dump-dom'
32 - 'http'
33 filter_optional_edge_1:
34 Image|startswith:
35 - 'C:\Program Files (x86)\Microsoft\Edge\Application\'
36 - 'C:\Program Files (x86)\Microsoft\EdgeCore\'
37 - 'C:\Program Files (x86)\Microsoft\EdgeWebView\'
38 - 'C:\Program Files\Microsoft\Edge\Application\'
39 - 'C:\Program Files\Microsoft\EdgeCore\'
40 - 'C:\Program Files\Microsoft\EdgeWebView\'
41 - 'C:\Program Files\WindowsApps\Microsoft.MicrosoftEdge'
42 Image|endswith:
43 - '\msedge.exe'
44 - '\msedgewebview2.exe'
45 - '\MicrosoftEdge.exe'
46 CommandLine|contains: '--headless --disable-gpu --disable-extensions --disable-plugins --mute-audio --no-first-run --incognito --aggressive-cache-discard --dump-dom'
47 filter_optional_edge_2:
48 Image|contains:
49 - '\AppData\Local\Microsoft\WindowsApps\'
50 - '\Windows\SystemApps\Microsoft.MicrosoftEdge'
51 Image|endswith:
52 - '\msedge.exe'
53 - '\MicrosoftEdge.exe'
54 CommandLine|contains: '--headless --disable-gpu --disable-extensions --disable-plugins --mute-audio --no-first-run --incognito --aggressive-cache-discard --dump-dom'
55 condition: selection and not 1 of filter_optional_*
56falsepositives:
57 - Unknown
58level: high
References
Related rules
- Browser Execution In Headless Mode
- Scheduled Task Creation with Curl and PowerShell Execution Combo
- Remote Access Tool - TacticalRMM Agent Registration to Potentially Attacker-Controlled Server
- Curl Download And Execute Combination
- Insensitive Subfolder Search Via Findstr.EXE