Chromium Browser Headless Execution To Mockbin Like Site
Detects the execution of a Chromium based browser process with the "headless" flag and a URL pointing to the mockbin.org service (which can be used to exfiltrate data).
Sigma rule (View on GitHub)
1title: Chromium Browser Headless Execution To Mockbin Like Site
2id: 1c526788-0abe-4713-862f-b520da5e5316
3status: test
4description: Detects the execution of a Chromium based browser process with the "headless" flag and a URL pointing to the mockbin.org service (which can be used to exfiltrate data).
5references:
6 - https://www.zscaler.com/blogs/security-research/steal-it-campaign
7author: X__Junior (Nextron Systems)
8date: 2023-09-11
9tags:
10 - attack.execution
11logsource:
12 product: windows
13 category: process_creation
14detection:
15 selection_img:
16 Image|endswith:
17 - '\brave.exe'
18 - '\chrome.exe'
19 - '\msedge.exe'
20 - '\opera.exe'
21 - '\vivaldi.exe'
22 selection_headless:
23 CommandLine|contains: '--headless'
24 selection_url:
25 CommandLine|contains:
26 - '://run.mocky'
27 - '://mockbin'
28 condition: all of selection_*
29falsepositives:
30 - Unknown
31level: high
References
-
Explore Steal-It, a new stealing campaign. Learn how customized scripts are used to steal NTLM hashes & how geofenced infection chains steal system information.
Read More
Related rules
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- AMSI Bypass Pattern Assembly GetType
- APT29 2018 Phishing Campaign CommandLine Indicators
- AWS EC2 Startup Shell Script Change