{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/browser-exploitation/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Edge","Chrome","Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel"],"_cs_severities":["high"],"_cs_tags":["credential-access","windows","browser-exploitation"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Google","Elastic","SentinelOne"],"content_html":"\u003cp\u003eThis detection identifies instances where a browser process, specifically Google Chrome or Microsoft Edge, is initiated from an unexpected parent process on a Windows system. The rule focuses on scenarios where browsers are launched with arguments indicative of remote debugging, headless automation, or minimal user interaction. Such activity can signal an attempt to manipulate a browser session for malicious purposes, potentially leading to credential theft or unauthorized access to sensitive information. The rule is designed to leverage data from Elastic Defend, Microsoft Defender XDR, SentinelOne Cloud Funnel, Sysmon, and Windows Process Creation Logs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system (e.g., via phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker executes a script or command to launch a browser process (chrome.exe or msedge.exe).\u003c/li\u003e\n\u003cli\u003eThe browser is launched with specific command-line arguments, such as \u003ccode\u003e--remote-debugging-port\u003c/code\u003e, \u003ccode\u003e--headless\u003c/code\u003e, or \u003ccode\u003e--window-position=-x,-y\u003c/code\u003e, to enable remote control or hide the browser window.\u003c/li\u003e\n\u003cli\u003eThe parent process of the browser is an unusual executable, not typically associated with launching browsers (e.g., not explorer.exe).\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the remote debugging port to interact with the browser session programmatically.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to steal credentials or session cookies from the browser.\u003c/li\u003e\n\u003cli\u003eThe attacker uses stolen credentials to access sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the theft of user credentials, enabling unauthorized access to sensitive data and systems. This could result in financial loss, data breaches, and reputational damage for affected organizations. The targeted use of browser manipulation techniques increases the likelihood of bypassing traditional security controls.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eBrowser Process Spawned from Unusual Parent\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process-creation logging (Event ID 1) to collect the necessary data for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u003ccode\u003eBrowser Process Spawned from Unusual Parent\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003cli\u003eReview process command lines for arguments like \u003ccode\u003e--remote-debugging-port\u003c/code\u003e or \u003ccode\u003e--headless\u003c/code\u003e to identify potential browser manipulation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor network connections originating from browser processes for unexpected destinations, as described in the investigation guide from the source.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:15:00Z","date_published":"2024-01-03T18:15:00Z","id":"/briefs/2024-01-browser-unusual-parent/","summary":"Attackers may attempt credential theft by launching browsers (Chrome, Edge) with remote debugging, headless automation, or minimal arguments from an unusual parent process on Windows systems.","title":"Browser Process Spawned from an Unusual Parent","url":"https://feed.craftedsignal.io/briefs/2024-01-browser-unusual-parent/"}],"language":"en","title":"CraftedSignal Threat Feed — Browser-Exploitation","version":"https://jsonfeed.org/version/1.1"}