Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control
title: Potential Data Stealing Via Chromium Headless Debugging
id: 3e8207c5-fcd2-4ea6-9418-15d45b4890e4
related:
- id: b3d34dc5-2efd-4ae3-845f-8ec14921f449
type: derived
status: test
description: Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control
references:
- https://github.com/defaultnamehere/cookie_crimes/
- https://mango.pdf.zone/stealing-chrome-cookies-without-a-password
- https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/
- https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-23
tags:
- attack.credential-access
- attack.collection
- attack.stealth
- attack.t1185
- attack.t1564.003
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- '--remote-debugging-' # Covers: --remote-debugging-address, --remote-debugging-port, --remote-debugging-socket-name, --remote-debugging-pipe....etc
- '--user-data-dir'
- '--headless'
condition: selection
falsepositives:
- Unknown
level: high
imProcessCreate
| where TargetProcessCommandLine contains "--remote-debugging-" and TargetProcessCommandLine contains "--user-data-dir" and TargetProcessCommandLine contains "--headless"| Sentinel Table | Notes |
|---|---|
imProcessCreate | Ensure this data connector is enabled |