← Back to Explore
sigmahighHunting
File Download with Headless Browser
Detects execution of chromium based browser in headless mode using the "dump-dom" command line to download files
Detection Query
selection:
Image|endswith:
- \brave.exe
- \chrome.exe
- \msedge.exe
- \opera.exe
- \vivaldi.exe
CommandLine|contains|all:
- --headless
- dump-dom
- http
filter_optional_edge_1:
Image|startswith:
- C:\Program Files (x86)\Microsoft\Edge\Application\
- C:\Program Files (x86)\Microsoft\EdgeCore\
- C:\Program Files (x86)\Microsoft\EdgeWebView\
- C:\Program Files\Microsoft\Edge\Application\
- C:\Program Files\Microsoft\EdgeCore\
- C:\Program Files\Microsoft\EdgeWebView\
- C:\Program Files\WindowsApps\Microsoft.MicrosoftEdge
Image|endswith:
- \msedge.exe
- \msedgewebview2.exe
- \MicrosoftEdge.exe
CommandLine|contains: --headless --disable-gpu --disable-extensions
--disable-plugins --mute-audio --no-first-run --incognito
--aggressive-cache-discard --dump-dom
filter_optional_edge_2:
Image|contains:
- \AppData\Local\Microsoft\WindowsApps\
- \Windows\SystemApps\Microsoft.MicrosoftEdge
Image|endswith:
- \msedge.exe
- \MicrosoftEdge.exe
CommandLine|contains: --headless --disable-gpu --disable-extensions
--disable-plugins --mute-audio --no-first-run --incognito
--aggressive-cache-discard --dump-dom
condition: selection and not 1 of filter_optional_*
Author
Sreeman, Florian Roth (Nextron Systems)
Created
2022-01-04
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.defense-evasionattack.command-and-controlattack.t1105attack.t1564.003
Raw Content
title: File Download with Headless Browser
id: 0e8cfe08-02c9-4815-a2f8-0d157b7ed33e
related:
- id: ef9dcfed-690c-4c5d-a9d1-482cd422225c
type: derived
status: test
description: Detects execution of chromium based browser in headless mode using the "dump-dom" command line to download files
references:
- https://twitter.com/mrd0x/status/1478234484881436672?s=12
- https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html
author: Sreeman, Florian Roth (Nextron Systems)
date: 2022-01-04
modified: 2025-10-07
tags:
- attack.defense-evasion
- attack.command-and-control
- attack.t1105
- attack.t1564.003
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\brave.exe'
- '\chrome.exe'
- '\msedge.exe'
- '\opera.exe'
- '\vivaldi.exe'
CommandLine|contains|all:
- '--headless'
- 'dump-dom'
- 'http'
filter_optional_edge_1:
Image|startswith:
- 'C:\Program Files (x86)\Microsoft\Edge\Application\'
- 'C:\Program Files (x86)\Microsoft\EdgeCore\'
- 'C:\Program Files (x86)\Microsoft\EdgeWebView\'
- 'C:\Program Files\Microsoft\Edge\Application\'
- 'C:\Program Files\Microsoft\EdgeCore\'
- 'C:\Program Files\Microsoft\EdgeWebView\'
- 'C:\Program Files\WindowsApps\Microsoft.MicrosoftEdge'
Image|endswith:
- '\msedge.exe'
- '\msedgewebview2.exe'
- '\MicrosoftEdge.exe'
CommandLine|contains: '--headless --disable-gpu --disable-extensions --disable-plugins --mute-audio --no-first-run --incognito --aggressive-cache-discard --dump-dom'
filter_optional_edge_2:
Image|contains:
- '\AppData\Local\Microsoft\WindowsApps\'
- '\Windows\SystemApps\Microsoft.MicrosoftEdge'
Image|endswith:
- '\msedge.exe'
- '\MicrosoftEdge.exe'
CommandLine|contains: '--headless --disable-gpu --disable-extensions --disable-plugins --mute-audio --no-first-run --incognito --aggressive-cache-discard --dump-dom'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download/info.yml