Detects the execution of a Chromium based browser process with the “headless” flag and a URL pointing to the mockbin.org service (which can be used to exfiltrate data).
title: Chromium Browser Headless Execution To Mockbin Like Site
id: 1c526788-0abe-4713-862f-b520da5e5316
status: test
description: Detects the execution of a Chromium based browser process with the "headless" flag and a URL pointing to the mockbin.org service (which can be used to exfiltrate data).
references:
- https://www.zscaler.com/blogs/security-research/steal-it-campaign
author: X__Junior (Nextron Systems)
date: 2023-09-11
tags:
- attack.execution
logsource:
product: windows
category: process_creation
detection:
selection_img:
Image|endswith:
- '\brave.exe'
- '\chrome.exe'
- '\msedge.exe'
- '\opera.exe'
- '\vivaldi.exe'
selection_headless:
CommandLine|contains: '--headless'
selection_url:
CommandLine|contains:
- '://run.mocky'
- '://mockbin'
condition: all of selection_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse/info.yml
imProcessCreate
| where (TargetProcessName endswith "\\brave.exe" or TargetProcessName endswith "\\chrome.exe" or TargetProcessName endswith "\\msedge.exe" or TargetProcessName endswith "\\opera.exe" or TargetProcessName endswith "\\vivaldi.exe") and TargetProcessCommandLine contains "--headless" and (TargetProcessCommandLine contains "://run.mocky" or TargetProcessCommandLine contains "://mockbin")| Sentinel Table | Notes |
|---|---|
imProcessCreate | Ensure this data connector is enabled |