Potential File Download via a Headless Browser

This detection identifies potential file downloads via headless browsers on Windows systems. Attackers abuse headless browser capabilities (chrome.exe, msedge.exe, brave.exe, browser.exe, dragon.exe, vivaldi.exe) to download files, proxy traffic, and bypass application control policies. The technique leverages trusted, signed binaries to evade security restrictions, effectively using the browser as a covert download tool. The activity is characterized by a headless browser being launched from a suspicious parent process, such as a script host, Office application, or command shell, with arguments that facilitate scripted content retrieval like --headless*, --dump-dom, *http*, and data:text/html;base64,*. Defenders should monitor for such anomalous browser behavior to identify and prevent malicious file downloads.

Attack Chain

1. A user unknowingly executes a malicious script or document (e.g., via phishing or drive-by download).
2. The script (e.g., PowerShell, VBScript) or document macro initiates a process, such as cmd.exe or powershell.exe.
3. The parent process spawns a headless browser instance (chrome.exe, msedge.exe, etc.) with the --headless argument.
4. Additional arguments are passed to the headless browser to specify a URL for download or base64 encoded content (--dump-dom *http*, data:text/html;base64,*).
5. The headless browser retrieves the content from the specified URL or decodes the base64 data.
6. The browser saves the downloaded content to disk, often in a user-writable directory.
7. The initial script or document executes the downloaded file or uses it for further malicious activities.
8. The attacker achieves their objective, such as establishing persistence, exfiltrating data, or deploying ransomware.

Impact

Successful exploitation can lead to arbitrary code execution, data compromise, and system compromise. Attackers can use this technique to download malware, bypass security controls, and establish a foothold in the compromised system. The impact can range from individual workstation compromise to large-scale network infiltration, depending on the attacker’s objectives and the privileges of the compromised user.

Recommendation

• Deploy the Sigma rules in this brief to your SIEM to detect suspicious headless browser activity, tuning for your environment.
• Enable process creation logging and command-line auditing to capture the necessary data for the Sigma rules.
• Investigate alerts generated by the Sigma rules, focusing on the parent process, browser arguments, and downloaded file artifacts.
• Review and harden application control policies to restrict the execution of headless browsers from suspicious parent processes.
• Monitor network connections from headless browsers to identify potential command and control traffic or data exfiltration attempts.