Sigma rules for CVE-2017-7000
5 rules · scoped to cve · back to CVE-2017-7000
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Potential Data Stealing Via Chromium Headless Debugging
id: 3e8207c5-fcd2-4ea6-9418-15d45b4890e4
related:
- id: b3d34dc5-2efd-4ae3-845f-8ec14921f449
type: derived
status: test
description: Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control
references:
- https://github.com/defaultnamehere/cookie_crimes/
- https://mango.pdf.zone/stealing-chrome-cookies-without-a-password
- https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/
- https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-23
tags:
- attack.credential-access
- attack.collection
- attack.stealth
- attack.t1185
- attack.t1564.003
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- '--remote-debugging-' # Covers: --remote-debugging-address, --remote-debugging-port, --remote-debugging-socket-name, --remote-debugging-pipe....etc
- '--user-data-dir'
- '--headless'
condition: selection
falsepositives:
- Unknown
level: high
title: SQLite Chromium Profile Data DB Access
id: 24c77512-782b-448a-8950-eddb0785fc71
status: test
description: Detect usage of the "sqlite" binary to query databases in Chromium-based browsers for potential data stealing.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/84d9edaaaa2c5511144521b0e4af726d1c7276ce/atomics/T1539/T1539.md#atomic-test-2---steal-chrome-cookies-windows
- https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/
author: TropChaud
date: 2022-12-19
modified: 2023-01-19
tags:
- attack.credential-access
- attack.t1539
- attack.t1555.003
- attack.collection
- attack.t1005
logsource:
category: process_creation
product: windows
detection:
selection_sql:
- Product: SQLite
- Image|endswith:
- '\sqlite.exe'
- '\sqlite3.exe'
selection_chromium:
CommandLine|contains:
- '\User Data\' # Most common folder for user profile data among Chromium browsers
- '\Opera Software\' # Opera
- '\ChromiumViewer\' # Sleipnir (Fenrir)
selection_data:
CommandLine|contains:
- 'Login Data' # Passwords
- 'Cookies'
- 'Web Data' # Credit cards, autofill data
- 'History'
- 'Bookmarks'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Chromium Browser Headless Execution To Mockbin Like Site
id: 1c526788-0abe-4713-862f-b520da5e5316
status: test
description: Detects the execution of a Chromium based browser process with the "headless" flag and a URL pointing to the mockbin.org service (which can be used to exfiltrate data).
references:
- https://www.zscaler.com/blogs/security-research/steal-it-campaign
author: X__Junior (Nextron Systems)
date: 2023-09-11
tags:
- attack.execution
logsource:
product: windows
category: process_creation
detection:
selection_img:
Image|endswith:
- '\brave.exe'
- '\chrome.exe'
- '\msedge.exe'
- '\opera.exe'
- '\vivaldi.exe'
selection_headless:
CommandLine|contains: '--headless'
selection_url:
CommandLine|contains:
- '://run.mocky'
- '://mockbin'
condition: all of selection_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse/info.yml
title: Suspicious Chromium Browser Instance Executed With Custom Extension
id: 27ba3207-dd30-4812-abbf-5d20c57d474e
related:
- id: 88d6e60c-759d-4ac1-a447-c0f1466c2d21
type: similar
status: test
description: Detects a suspicious process spawning a Chromium based browser process with the 'load-extension' flag to start an instance with a custom extension
references:
- https://redcanary.com/blog/chromeloader/
- https://emkc.org/s/RJjuLa
- https://www.mandiant.com/resources/blog/lnk-between-browsers
author: Aedan Russell, frack113, X__Junior (Nextron Systems)
date: 2022-06-19
modified: 2023-11-28
tags:
- attack.persistence
- attack.t1176.001
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\wscript.exe'
Image|endswith:
- '\brave.exe'
- '\chrome.exe'
- '\msedge.exe'
- '\opera.exe'
- '\vivaldi.exe'
CommandLine|contains: '--load-extension='
condition: selection
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension/info.yml
title: Chromium Browser Instance Executed With Custom Extension
id: 88d6e60c-759d-4ac1-a447-c0f1466c2d21
related:
- id: 27ba3207-dd30-4812-abbf-5d20c57d474e
type: similar
status: test
description: Detects a Chromium based browser process with the 'load-extension' flag to start a instance with a custom extension
references:
- https://redcanary.com/blog/chromeloader/
- https://emkc.org/s/RJjuLa
- https://www.mandiant.com/resources/blog/lnk-between-browsers
author: Aedan Russell, frack113, X__Junior (Nextron Systems)
date: 2022-06-19
modified: 2023-11-28
tags:
- attack.persistence
- attack.t1176.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\brave.exe'
- '\chrome.exe'
- '\msedge.exe'
- '\opera.exe'
- '\vivaldi.exe'
CommandLine|contains: '--load-extension='
condition: selection
falsepositives:
- Usage of Chrome Extensions in testing tools such as BurpSuite will trigger this alert
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_browsers_chromium_load_extension/info.yml