← Back to Explore
sigmahighHunting
Potential Data Stealing Via Chromium Headless Debugging
Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control
Detection Query
selection:
CommandLine|contains|all:
- --remote-debugging-
- --user-data-dir
- --headless
condition: selection
Author
Nasreddine Bencherchali (Nextron Systems)
Created
2022-12-23
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.defense-evasionattack.credential-accessattack.collectionattack.t1185attack.t1564.003
Raw Content
title: Potential Data Stealing Via Chromium Headless Debugging
id: 3e8207c5-fcd2-4ea6-9418-15d45b4890e4
related:
- id: b3d34dc5-2efd-4ae3-845f-8ec14921f449
type: derived
status: test
description: Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control
references:
- https://github.com/defaultnamehere/cookie_crimes/
- https://mango.pdf.zone/stealing-chrome-cookies-without-a-password
- https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/
- https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-23
tags:
- attack.defense-evasion
- attack.credential-access
- attack.collection
- attack.t1185
- attack.t1564.003
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- '--remote-debugging-' # Covers: --remote-debugging-address, --remote-debugging-port, --remote-debugging-socket-name, --remote-debugging-pipe....etc
- '--user-data-dir'
- '--headless'
condition: selection
falsepositives:
- Unknown
level: high