Samirbous
e1205cb5c5
* [New/Tuning] Windows Top Threats 2024/2025 1) MSHTA: - tuning to exclude FPs - new rule `Remote Script via Microsoft HTML Application` compatible with 3d party EDR/sysmon/system/winlog integration and that does not require correlation or multiple type of events. 2) MSIEXEC: * Update defense_evasion_mshta_susp_child.toml * Update defense_evasion_script_via_html_app.toml * Update defense_evasion_mshta_susp_child.toml * Create defense_evasion_msiexec_remote_payload.toml * Update defense_evasion_msiexec_remote_payload.toml * ++ * Create execution_scripting_remote_webdav.toml * Create execution_windows_fakecaptcha_cmd_ps.toml * Create command_and_control_rmm_netsupport_susp_path.toml * Update command_and_control_rmm_netsupport_susp_path.toml * ++ * Update execution_jscript_fake_updates.toml * Create command_and_control_dns_susp_tld.toml * ++ * Create command_and_control_remcos_rat_iocs.toml * Update execution_windows_fakecaptcha_cmd_ps.toml * Update execution_scripts_archive_file.toml * Update defense_evasion_masquerading_renamed_autoit.toml * ++ * Create execution_nodejs_susp_patterns.toml * Update execution_nodejs_susp_patterns.toml * Update execution_windows_fakecaptcha_cmd_ps.toml * Fix unit test errors * Update defense_evasion_network_connection_from_windows_binary.toml * Add system index * Add tag * Update rules/windows/command_and_control_remcos_rat_iocs.toml Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com> * Remove duplicate * Update defense_evasion_msiexec_child_proc_netcon.toml * Update defense_evasion_masquerading_renamed_autoit.toml * Update defense_evasion_masquerading_renamed_autoit.toml * Update defense_evasion_masquerading_renamed_autoit.toml * Create credential_access_browsers_unusual_parent.toml * Update credential_access_browsers_unusual_parent.toml * ++ * Update defense_evasion_masquerading_renamed_autoit.toml * Update rules/windows/command_and_control_dns_susp_tld.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/command_and_control_remcos_rat_iocs.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/defense_evasion_mshta_susp_child.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/discovery_host_public_ip_address_lookup.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/discovery_host_public_ip_address_lookup.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/execution_windows_phish_clickfix.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update discovery_host_public_ip_address_lookup.toml * Update execution_windows_phish_clickfix.toml * Update rules/windows/defense_evasion_script_via_html_app.toml * Update rules/windows/command_and_control_dns_susp_tld.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/discovery_host_public_ip_address_lookup.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/command_and_control_dns_susp_tld.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/credential_access_browsers_unusual_parent.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/command_and_control_dns_susp_tld.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/defense_evasion_msiexec_child_proc_netcon.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/discovery_host_public_ip_address_lookup.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/defense_evasion_msiexec_child_proc_netcon.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/discovery_host_public_ip_address_lookup.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/defense_evasion_msiexec_child_proc_netcon.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/execution_nodejs_susp_patterns.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update discovery_host_public_ip_address_lookup.toml * Update rules/windows/command_and_control_dns_susp_tld.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update defense_evasion_masquerading_renamed_autoit.toml * Update defense_evasion_script_via_html_app.toml --------- Co-authored-by: eric-forte-elastic <eric.forte@elastic.co> Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com> Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
126 lines
7.0 KiB
TOML
126 lines
7.0 KiB
TOML
[metadata]
|
|
creation_date = "2025/08/27"
|
|
integration = ["windows", "endpoint", "system", "m365_defender", "sentinel_one_cloud_funnel"]
|
|
maturity = "production"
|
|
updated_date = "2025/08/27"
|
|
|
|
[rule]
|
|
author = ["Elastic"]
|
|
description = """
|
|
Identifies instances where an unusual process spawns a chrome browser child process. This behavior could be related to malware
|
|
stealing browser information.
|
|
"""
|
|
from = "now-9m"
|
|
index = [
|
|
"endgame-*",
|
|
"logs-endpoint.events.process-*",
|
|
"logs-m365_defender.event-*",
|
|
"logs-sentinel_one_cloud_funnel.*",
|
|
"logs-system.security*",
|
|
"logs-windows.forwarded*",
|
|
"logs-windows.sysmon_operational-*",
|
|
"winlogbeat-*",
|
|
]
|
|
language = "eql"
|
|
license = "Elastic License v2"
|
|
name = "Browser Process Spawned from an Unusual Parent"
|
|
note = """## Triage and analysis
|
|
|
|
> **Disclaimer**:
|
|
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
|
|
|
|
### Investigating Browser Process Spawned from an Unusual Parent
|
|
|
|
### Possible investigation steps
|
|
|
|
- Review the process execution details to confirm that a web browser process (e.g., chrome.exe, msedge.exe, firefox.exe) has an unusual or suspicious parent process. Focus on the process.parent.name, process.name, and process.args fields.
|
|
- Examine the command line arguments for signs of remote debugging flags (e.g., --remote-debugging-port, --remote-debugging-pipe) or injected DLLs that could indicate attempts to hijack browser sessions.
|
|
- Check whether the parent process is a scripting host (e.g., wscript.exe, cscript.exe), system utility, or unexpected binary (e.g., cmd.exe, rundll32.exe, powershell.exe) rather than the legitimate browser updater or system launcher.
|
|
- Investigate if the suspicious parent process has a known reputation or hash linked to malware or credential-stealing tools by correlating with threat intelligence sources.
|
|
- Look for additional related processes spawned by the browser that might indicate malicious activity, such as network connections to unusual external IPs or data exfiltration attempts.
|
|
- Review authentication logs to identify if any credential theft attempts occurred shortly after the suspicious browser activity, focusing on abnormal logins, failed authentications, or credential access patterns.
|
|
- Cross-reference with endpoint telemetry (e.g., Defender for Endpoint, Sysmon) to identify whether this event is part of a broader intrusion attempt involving code injection or persistence mechanisms.
|
|
|
|
### False positive analysis
|
|
|
|
- Certain enterprise management or testing tools may launch browsers with remote debugging enabled for automation purposes. Identify and document such legitimate tools and processes.
|
|
- Development environments may use browser remote debugging features during legitimate software testing. Exclude known dev/test machines or users from triggering alerts in production environments.
|
|
- Security testing frameworks or internal red team activities may use similar techniques. Coordinate with authorized security teams to whitelist scheduled exercises.
|
|
- Browser extensions or third-party plugins could sometimes spawn processes that appear unusual. Validate if the behavior aligns with known, legitimate extensions.
|
|
- Automated IT scripts or orchestration tools might start browsers in debugging mode for monitoring purposes. Whitelist these cases based on process path, signature, or command-line arguments.
|
|
|
|
### Response and remediation
|
|
|
|
- Isolate the affected endpoint from the network to prevent potential credential theft or data exfiltration.
|
|
- Terminate any suspicious processes identified in the alert, including both the browser and its anomalous parent process.
|
|
- Collect forensic artifacts (process memory, browser profiles, injected modules) for further investigation and potential IOCs.
|
|
- Reset credentials for accounts that may have been exposed through the compromised browser session.
|
|
- Deploy updated endpoint protection signatures and enable stricter application control policies to prevent browsers from being launched by untrusted processes.
|
|
- Enhance monitoring for browser processes launched with debugging flags or code injection indicators across the environment.
|
|
- Escalate to the SOC or IR team to determine whether this event is part of a larger credential theft campaign or linked to other lateral movement activity."""
|
|
references = ["https://www.elastic.co/security-labs/katz-and-mouse-game"]
|
|
risk_score = 73
|
|
rule_id = "46b01bb5-cff2-4a00-9f87-c041d9eab554"
|
|
severity = "high"
|
|
tags = [
|
|
"Domain: Endpoint",
|
|
"OS: Windows",
|
|
"Use Case: Threat Detection",
|
|
"Tactic: Credential Access",
|
|
"Data Source: Elastic Endgame",
|
|
"Data Source: Elastic Defend",
|
|
"Data Source: Windows Security Event Logs",
|
|
"Data Source: Microsoft Defender for Endpoint",
|
|
"Data Source: Sysmon",
|
|
"Data Source: SentinelOne",
|
|
"Resources: Investigation Guide",
|
|
]
|
|
timestamp_override = "event.ingested"
|
|
type = "eql"
|
|
|
|
query = '''
|
|
process where host.os.type == "windows" and event.type == "start" and
|
|
process.name : ("chrome.exe", "msedge.exe") and
|
|
process.parent.executable != null and process.command_line != null and
|
|
(
|
|
process.command_line :
|
|
("\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\"",
|
|
"\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\"",
|
|
"\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --headless --disable-logging --log-level=3 --v=0",
|
|
"\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --headless --log-level=3",
|
|
"\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --headless",
|
|
"\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --remote-debugging-port=922? --profile-directory=\"Default\"*",
|
|
"\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --headless --restore-last-session --remote-debugging-port=45452*") or
|
|
|
|
(process.args : "--remote-debugging-port=922?" and process.args : "--window-position=-*,-*")
|
|
) and
|
|
not process.parent.executable :
|
|
("C:\\Windows\\explorer.exe",
|
|
"C:\\Program Files (x86)\\*.exe",
|
|
"C:\\Program Files\\*.exe",
|
|
"C:\\Windows\\System32\\rdpinit.exe",
|
|
"C:\\Windows\\System32\\sihost.exe",
|
|
"C:\\Windows\\System32\\RuntimeBroker.exe",
|
|
"C:\\Windows\\System32\\SECOCL64.exe")
|
|
'''
|
|
|
|
|
|
|
|
[[rule.threat]]
|
|
framework = "MITRE ATT&CK"
|
|
[[rule.threat.technique]]
|
|
id = "T1555"
|
|
name = "Credentials from Password Stores"
|
|
reference = "https://attack.mitre.org/techniques/T1555/"
|
|
[[rule.threat.technique.subtechnique]]
|
|
id = "T1555.003"
|
|
name = "Credentials from Web Browsers"
|
|
reference = "https://attack.mitre.org/techniques/T1555/003/"
|
|
|
|
[rule.threat.tactic]
|
|
id = "TA0006"
|
|
name = "Credential Access"
|
|
reference = "https://attack.mitre.org/tactics/TA0006/"
|
|
|
|
|