Home/CVE-2014-7941/Sigma rules
Sigma

Sigma rules for CVE-2014-7941

7 rules · scoped to cve · back to CVE-2014-7941
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.

Detection rules

7 of 7
direct high
Potential Data Stealing Via Chromium Headless Debugging
Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control
status test author Nasreddine Bencherchali (Nextron Systems) id 3e8207c5-fcd2-4ea6-9418-15d45b4890e4 license Sigma · DRL-1.1
view Sigma YAML 
title: Potential Data Stealing Via Chromium Headless Debugging
id: 3e8207c5-fcd2-4ea6-9418-15d45b4890e4
related:
    - id: b3d34dc5-2efd-4ae3-845f-8ec14921f449
      type: derived
status: test
description: Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control
references:
    - https://github.com/defaultnamehere/cookie_crimes/
    - https://mango.pdf.zone/stealing-chrome-cookies-without-a-password
    - https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/
    - https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-23
tags:
    - attack.credential-access
    - attack.collection
    - attack.stealth
    - attack.t1185
    - attack.t1564.003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - '--remote-debugging-' # Covers: --remote-debugging-address, --remote-debugging-port, --remote-debugging-socket-name, --remote-debugging-pipe....etc
            - '--user-data-dir'
            - '--headless'
    condition: selection
falsepositives:
    - Unknown
level: high
direct high
SQLite Chromium Profile Data DB Access
Detect usage of the "sqlite" binary to query databases in Chromium-based browsers for potential data stealing.
status test author TropChaud id 24c77512-782b-448a-8950-eddb0785fc71 license Sigma · DRL-1.1
view Sigma YAML 
title: SQLite Chromium Profile Data DB Access
id: 24c77512-782b-448a-8950-eddb0785fc71
status: test
description: Detect usage of the "sqlite" binary to query databases in Chromium-based browsers for potential data stealing.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/84d9edaaaa2c5511144521b0e4af726d1c7276ce/atomics/T1539/T1539.md#atomic-test-2---steal-chrome-cookies-windows
    - https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/
author: TropChaud
date: 2022-12-19
modified: 2023-01-19
tags:
    - attack.credential-access
    - attack.t1539
    - attack.t1555.003
    - attack.collection
    - attack.t1005
logsource:
    category: process_creation
    product: windows
detection:
    selection_sql:
        - Product: SQLite
        - Image|endswith:
              - '\sqlite.exe'
              - '\sqlite3.exe'
    selection_chromium:
        CommandLine|contains:
            - '\User Data\' # Most common folder for user profile data among Chromium browsers
            - '\Opera Software\' # Opera
            - '\ChromiumViewer\' # Sleipnir (Fenrir)
    selection_data:
        CommandLine|contains:
            - 'Login Data' # Passwords
            - 'Cookies'
            - 'Web Data' # Credit cards, autofill data
            - 'History'
            - 'Bookmarks'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
direct high
Chromium Browser Headless Execution To Mockbin Like Site
Detects the execution of a Chromium based browser process with the "headless" flag and a URL pointing to the mockbin.org service (which can be used to exfiltrate data).
status test author X__Junior (Nextron Systems) id 1c526788-0abe-4713-862f-b520da5e5316 license Sigma · DRL-1.1
view Sigma YAML 
title: Chromium Browser Headless Execution To Mockbin Like Site
id: 1c526788-0abe-4713-862f-b520da5e5316
status: test
description: Detects the execution of a Chromium based browser process with the "headless" flag and a URL pointing to the mockbin.org service (which can be used to exfiltrate data).
references:
    - https://www.zscaler.com/blogs/security-research/steal-it-campaign
author: X__Junior (Nextron Systems)
date: 2023-09-11
tags:
    - attack.execution
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        Image|endswith:
            - '\brave.exe'
            - '\chrome.exe'
            - '\msedge.exe'
            - '\opera.exe'
            - '\vivaldi.exe'
    selection_headless:
        CommandLine|contains: '--headless'
    selection_url:
        CommandLine|contains:
            - '://run.mocky'
            - '://mockbin'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse/info.yml
direct high
Suspicious Chromium Browser Instance Executed With Custom Extension
Detects a suspicious process spawning a Chromium based browser process with the 'load-extension' flag to start an instance with a custom extension
status test author Aedan Russell, frack113, X__Junior (Nextron Systems) id 27ba3207-dd30-4812-abbf-5d20c57d474e license Sigma · DRL-1.1
view Sigma YAML 
title: Suspicious Chromium Browser Instance Executed With Custom Extension
id: 27ba3207-dd30-4812-abbf-5d20c57d474e
related:
    - id: 88d6e60c-759d-4ac1-a447-c0f1466c2d21
      type: similar
status: test
description: Detects a suspicious process spawning a Chromium based browser process with the 'load-extension' flag to start an instance with a custom extension
references:
    - https://redcanary.com/blog/chromeloader/
    - https://emkc.org/s/RJjuLa
    - https://www.mandiant.com/resources/blog/lnk-between-browsers
author: Aedan Russell, frack113, X__Junior (Nextron Systems)
date: 2022-06-19
modified: 2023-11-28
tags:
    - attack.persistence
    - attack.t1176.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\cmd.exe'
            - '\cscript.exe'
            - '\mshta.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
            - '\wscript.exe'
        Image|endswith:
            - '\brave.exe'
            - '\chrome.exe'
            - '\msedge.exe'
            - '\opera.exe'
            - '\vivaldi.exe'
        CommandLine|contains: '--load-extension='
    condition: selection
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension/info.yml
direct medium
Chromium Browser Instance Executed With Custom Extension
Detects a Chromium based browser process with the 'load-extension' flag to start a instance with a custom extension
status test author Aedan Russell, frack113, X__Junior (Nextron Systems) id 88d6e60c-759d-4ac1-a447-c0f1466c2d21 license Sigma · DRL-1.1
view Sigma YAML 
title: Chromium Browser Instance Executed With Custom Extension
id: 88d6e60c-759d-4ac1-a447-c0f1466c2d21
related:
    - id: 27ba3207-dd30-4812-abbf-5d20c57d474e
      type: similar
status: test
description: Detects a Chromium based browser process with the 'load-extension' flag to start a instance with a custom extension
references:
    - https://redcanary.com/blog/chromeloader/
    - https://emkc.org/s/RJjuLa
    - https://www.mandiant.com/resources/blog/lnk-between-browsers
author: Aedan Russell, frack113, X__Junior (Nextron Systems)
date: 2022-06-19
modified: 2023-11-28
tags:
    - attack.persistence
    - attack.t1176.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\brave.exe'
            - '\chrome.exe'
            - '\msedge.exe'
            - '\opera.exe'
            - '\vivaldi.exe'
        CommandLine|contains: '--load-extension='
    condition: selection
falsepositives:
    - Usage of Chrome Extensions in testing tools such as BurpSuite will trigger this alert
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_browsers_chromium_load_extension/info.yml
direct high
Running Chrome VPN Extensions via the Registry 2 VPN Extension
Running Chrome VPN Extensions via the Registry install 2 vpn extension
status test author frack113 id b64a026b-8deb-4c1d-92fd-98893209dff1 license Sigma · DRL-1.1
view Sigma YAML 
title: Running Chrome VPN Extensions via the Registry 2 VPN Extension
id: b64a026b-8deb-4c1d-92fd-98893209dff1
status: test
description: Running Chrome VPN Extensions via the Registry install 2 vpn extension
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1133/T1133.md#atomic-test-1---running-chrome-vpn-extensions-via-the-registry-2-vpn-extension
author: frack113
date: 2021-12-28
modified: 2023-08-17
tags:
    - attack.initial-access
    - attack.persistence
    - attack.t1133
logsource:
    category: registry_set
    product: windows
detection:
    chrome_ext:
        TargetObject|contains: 'Software\Wow6432Node\Google\Chrome\Extensions'
        TargetObject|endswith: 'update_url'
    chrome_vpn:
        TargetObject|contains:
            - fdcgdnkidjaadafnichfpabhfomcebme # ZenMate VPN
            - fcfhplploccackoneaefokcmbjfbkenj # 1clickVPN
            - bihmplhobchoageeokmgbdihknkjbknd # Touch VPN
            - gkojfkhlekighikafcpjkiklfbnlmeio # Hola Free VPN
            - jajilbjjinjmgcibalaakngmkilboobh # Astar VPN
            - gjknjjomckknofjidppipffbpoekiipm # VPN Free
            - nabbmpekekjknlbkgpodfndbodhijjem # Earth VPN
            - kpiecbcckbofpmkkkdibbllpinceiihk # DotVPN
            - nlbejmccbhkncgokjcmghpfloaajcffj # Hotspot Shield Free VPN
            - omghfjlpggmjjaagoclmmobgdodcjboh # Browsec VPN
            - bibjcjfmgapbfoljiojpipaooddpkpai # VPN-free.pro
            - mpcaainmfjjigeicjnlkdfajbioopjko # VPN Unlimited Free
            - jljopmgdobloagejpohpldgkiellmfnc # PP VPN
            - lochiccbgeohimldjooaakjllnafhaid # IP Unblock
            - nhnfcgpcbfclhfafjlooihdfghaeinfc # Surf VPN
            - ookhnhpkphagefgdiemllfajmkdkcaim # iNinja VPN
            - namfblliamklmeodpcelkokjbffgmeoo # Daily VPN
            - nbcojefnccbanplpoffopkoepjmhgdgh # Hoxx VPN Proxy
            - majdfhpaihoncoakbjgbdhglocklcgno # Free VPN
            - lnfdmdhmfbimhhpaeocncdlhiodoblbd # VPN PROXY MASTER
            - eppiocemhmnlbhjplcgkofciiegomcon # Urban Free VPN
            - cocfojppfigjeefejbpfmedgjbpchcng # SaferVPN Proxy
            - foiopecknacmiihiocgdjgbjokkpkohc # VPN Professional
            - hhdobjgopfphlmjbmnpglhfcgppchgje # AdGuard VPN
            - jgbaghohigdbgbolncodkdlpenhcmcge # Free VPN
            - inligpkjkhbpifecbdjhmdpcfhnlelja # Free One Touch VPN
            - higioemojdadgdbhbbbkfbebbdlfjbip # Unlimited VPN & Proxy by ibVPN
            - hipncndjamdcmphkgngojegjblibadbe # RusVPN
            - iolonopooapdagdemdoaihahlfkncfgg # Azino VPN
            - nhfjkakglbnnpkpldhjmpmmfefifedcj # Pron VPN
            - jpgljfpmoofbmlieejglhonfofmahini # Free Residential VPN
            - fgddmllnllkalaagkghckoinaemmogpe # ExpressVPN
            - ejkaocphofnobjdedneohbbiilggdlbi # Hotspot Shield Elite VPN Proxy
            - keodbianoliadkoelloecbhllnpiocoi # Hide My IP VPN
            - hoapmlpnmpaehilehggglehfdlnoegck # Tunnello VPN
            - poeojclicodamonabcabmapamjkkmnnk # HMA VPN Proxy Unblocker
            - dfkdflfgjdajbhocmfjolpjbebdkcjog # Free Avira Phantom VPN
            - kcdahmgmaagjhocpipbodaokikjkampi # Hola VPN
            - klnkiajpmpkkkgpgbogmcgfjhdoljacg # Free VPN for Chrome
            - lneaocagcijjdpkcabeanfpdbmapcjjg # Hub VPN
            - pgfpignfckbloagkfnamnolkeaecfgfh # Free Proxy VPN
            - jplnlifepflhkbkgonidnobkakhmpnmh # Private Internet Access
            - jliodmnojccaloajphkingdnpljdhdok # Turbo VPN for PC
            - hnmpcagpplmpfojmgmnngilcnanddlhb # Windscribe
            - ffbkglfijbcbgblgflchnbphjdllaogb # CyberGhost VPN
            - kcndmbbelllkmioekdagahekgimemejo # VPN.AC
            - jdgilggpfmjpbodmhndmhojklgfdlhob # Browser VPN
            - bihhflimonbpcfagfadcnbbdngpopnjb # DEEPRISM VPN
            - ppajinakbfocjfnijggfndbdmjggcmde # My Browser Vpn
            - oofgbpoabipfcfjapgnbbjjaenockbdp # SetupVPN
            - bhnhkdgoefpmekcgnccpnhjfdgicfebm # Wachee VPN
            - knmmpciebaoojcpjjoeonlcjacjopcpf # Thunder Proxy
            - dhadilbmmjiooceioladdphemaliiobo # Free Proxy VPN
            - jedieiamjmoflcknjdjhpieklepfglin # FastestVPN Proxy
            - mhngpdlhojliikfknhfaglpnddniijfh # WorkingVPN
            - omdakjcmkglenbhjadbccaookpfjihpa # TunnelBear VPN
            - npgimkapccfidfkfoklhpkgmhgfejhbj # BelkaVPN
            - akeehkgglkmpapdnanoochpfmeghfdln # VPN Master
            - gbmdmipapolaohpinhblmcnpmmlgfgje # Unblock Websites
            - aigmfoeogfnljhnofglledbhhfegannp # Lethean Proxy VPN
            - cgojmfochfikphincbhokimmmjenhhgk # Whoer VPN
            - ficajfeojakddincjafebjmfiefcmanc # Best VPN USA
            - ifnaibldjfdmaipaddffmgcmekjhiloa # FREE VPN DEWELOPMENT
            - jbnmpdkcfkochpanomnkhnafobppmccn # apkfold free vpn
            - apcfdffemoinopelidncddjbhkiblecc # Soul VPN
            - mjolnodfokkkaichkcjipfgblbfgojpa # DotVPN
            - oifjbnnafapeiknapihcmpeodaeblbkn # rderzh VPN Proxy
            - plpmggfglncceinmilojdkiijhmajkjh # Red Panda VPN
            - mjnbclmflcpookeapghfhapeffmpodij # Ultrareach VPN
            - bblcccknbdbplgmdjnnikffefhdlobhp # FastStunnel VPN
            - aojlhgbkmkahabcmcpifbolnoichfeep # VirtualShield VPN
            - lcmammnjlbmlbcaniggmlejfjpjagiia # Adblock Office VPN Proxy Server
            - knajdeaocbpmfghhmijicidfcmdgbdpm # Guru VPN & Proxy
            - bdlcnpceagnkjnjlbbbcepohejbheilk # Malus VPN
            - edknjdjielmpdlnllkdmaghlbpnmjmgb # Muscle VPN
            - eidnihaadmmancegllknfbliaijfmkgo # Push VPN
            - ckiahbcmlmkpfiijecbpflfahoimklke # Gom VPN
            - macdlemfnignjhclfcfichcdhiomgjjb # Free Fast VPN
            - chioafkonnhbpajpengbalkececleldf # BullVPN
            - amnoibeflfphhplmckdbiajkjaoomgnj # HideAll VPN
            - llbhddikeonkpbhpncnhialfbpnilcnc # ProxyFlow
            - pcienlhnoficegnepejpfiklggkioccm # Cloud VPN
            - iocnglnmfkgfedpcemdflhkchokkfeii # sVPN
            - igahhbkcppaollcjeaaoapkijbnphfhb # Social VPN
            - njpmifchgidinihmijhcfpbdmglecdlb # Trellonet Trellonet
            - ggackgngljinccllcmbgnpgpllcjepgc # WindmillVPN
            - kchocjcihdgkoplngjemhpplmmloanja # IPBurger Proxy & VPN
            - bnijmipndnicefcdbhgcjoognndbgkep # Veee
            - lklekjodgannjcccdlbicoamibgbdnmi # Anonymous Proxy Vpn Browser
            - dbdbnchagbkhknegmhgikkleoogjcfge # Hideman VPN
            - egblhcjfjmbjajhjhpmnlekffgaemgfh # Fornex VPN
            - ehbhfpfdkmhcpaehaooegfdflljcnfec # WeVPN
            - bkkgdjpomdnfemhhkalfkogckjdkcjkg # VPNMatic
            - almalgbpmcfpdaopimbdchdliminoign # Urban Shield
            - akkbkhnikoeojlhiiomohpdnkhbkhieh # Prime VPN
            - gbfgfbopcfokdpkdigfmoeaajfmpkbnh # westwind
            - bniikohfmajhdcffljgfeiklcbgffppl # Upnet
            - lejgfmmlngaigdmmikblappdafcmkndb # uVPN
            - ffhhkmlgedgcliajaedapkdfigdobcif # Nucleus VPN
            - gcknhkkoolaabfmlnjonogaaifnjlfnp # FoxyProxy Standard
            - pooljnboifbodgifngpppfklhifechoe # GeoProxy
            - fjoaledfpmneenckfbpdfhkmimnjocfa # NordVPN
            - aakchaleigkohafkfjfjbblobjifikek # ProxFlow
            - dpplabbmogkhghncfbfdeeokoefdjegm # Proxy SwitchySharp
            - padekgcemlokbadohgkifijomclgjgif # Proxy SwitchyOmega
            - bfidboloedlamgdmenmlbipfnccokknp # PureVPN
    condition: all of chrome_*
falsepositives:
    - Unknown
level: high
direct medium
Potential Chrome Frame Helper DLL Sideloading
Detects potential DLL sideloading of "chrome_frame_helper.dll"
status test author Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) id 72ca7c75-bf85-45cd-aca7-255d360e423c license Sigma · DRL-1.1
view Sigma YAML 
title: Potential Chrome Frame Helper DLL Sideloading
id: 72ca7c75-bf85-45cd-aca7-255d360e423c
status: test
description: Detects potential DLL sideloading of "chrome_frame_helper.dll"
references:
    - https://hijacklibs.net/entries/3rd_party/google/chrome_frame_helper.html
author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
date: 2022-08-17
modified: 2023-05-15
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\chrome_frame_helper.dll'
    filter_main_path:
        ImageLoaded|startswith:
            - 'C:\Program Files\Google\Chrome\Application\'
            - 'C:\Program Files (x86)\Google\Chrome\Application\'
    filter_optional_user_path:
        ImageLoaded|contains: '\AppData\local\Google\Chrome\Application\'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: medium
Showing 1-7 of 7
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin