Browser Started with Remote Debugging

calendar Aug 12, 2024 · attack.credential-access attack.t1185  ·
Share on: linkedin copy

Detects browsers starting with the remote debugging flags. Which is a technique often used to perform browser injection attacks

Sigma rule (View on GitHub)

 1title: Browser Started with Remote Debugging
 2id: b3d34dc5-2efd-4ae3-845f-8ec14921f449
 3related:
 4    - id: 3e8207c5-fcd2-4ea6-9418-15d45b4890e4
 5      type: derived
 6status: test
 7description: Detects browsers starting with the remote debugging flags. Which is a technique often used to perform browser injection attacks
 8references:
 9    - https://yoroi.company/wp-content/uploads/2022/05/EternityGroup_report_compressed.pdf
10    - https://www.mdsec.co.uk/2022/10/analysing-lastpass-part-1/
11    - https://github.com/defaultnamehere/cookie_crimes/
12    - https://github.com/wunderwuzzi23/firefox-cookiemonster
13author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
14date: 2022-07-27
15modified: 2022-12-23
16tags:
17    - attack.credential-access
18    - attack.t1185
19logsource:
20    category: process_creation
21    product: windows
22detection:
23    selection_chromium_based:
24        # Covers: --remote-debugging-address, --remote-debugging-port, --remote-debugging-socket-name, --remote-debugging-pipe....etc
25        CommandLine|contains: ' --remote-debugging-'
26    selection_firefox:
27        Image|endswith: '\firefox.exe'
28        CommandLine|contains: ' -start-debugger-server'
29    condition: 1 of selection_*
30falsepositives:
31    - Unknown
32level: medium

References

Related rules

to-top