Browser Process Spawned from an Unusual Parent

This detection identifies instances where a browser process, specifically Google Chrome or Microsoft Edge, is initiated from an unexpected parent process on a Windows system. The rule focuses on scenarios where browsers are launched with arguments indicative of remote debugging, headless automation, or minimal user interaction. Such activity can signal an attempt to manipulate a browser session for malicious purposes, potentially leading to credential theft or unauthorized access to sensitive information. The rule is designed to leverage data from Elastic Defend, Microsoft Defender XDR, SentinelOne Cloud Funnel, Sysmon, and Windows Process Creation Logs.

Attack Chain

1. An attacker gains initial access to a Windows system (e.g., via phishing or exploiting a vulnerability).
2. The attacker executes a script or command to launch a browser process (chrome.exe or msedge.exe).
3. The browser is launched with specific command-line arguments, such as --remote-debugging-port, --headless, or --window-position=-x,-y, to enable remote control or hide the browser window.
4. The parent process of the browser is an unusual executable, not typically associated with launching browsers (e.g., not explorer.exe).
5. The attacker leverages the remote debugging port to interact with the browser session programmatically.
6. The attacker attempts to steal credentials or session cookies from the browser.
7. The attacker uses stolen credentials to access sensitive data.

Impact

Successful exploitation can lead to the theft of user credentials, enabling unauthorized access to sensitive data and systems. This could result in financial loss, data breaches, and reputational damage for affected organizations. The targeted use of browser manipulation techniques increases the likelihood of bypassing traditional security controls.

Recommendation

• Deploy the Sigma rule Browser Process Spawned from Unusual Parent to your SIEM and tune for your environment.
• Enable Sysmon process-creation logging (Event ID 1) to collect the necessary data for the Sigma rule.
• Investigate any alerts generated by the Browser Process Spawned from Unusual Parent Sigma rule.
• Review process command lines for arguments like --remote-debugging-port or --headless to identify potential browser manipulation attempts.
• Monitor network connections originating from browser processes for unexpected destinations, as described in the investigation guide from the source.