Techniques
Sample rules
Headless Browser Usage
- source: splunk
- technicques:
- T1497
- T1564.003
Description
The following analytic detects the usage of headless browsers within an organization. It identifies processes containing the “–headless” and “–disable-gpu” command line arguments, which are indicative of headless browsing. This detection leverages data from the Endpoint.Processes datamodel to identify such processes. Monitoring headless browser usage is significant as these tools can be exploited by adversaries for malicious activities like web scraping, automated testing, and undetected web interactions. If confirmed malicious, this activity could lead to unauthorized data extraction, automated attacks, or other covert operations on web applications.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("Chrome.exe","Brave.exe", "Opera.exe", "Vivaldi.exe", "msedge.exe") (Processes.process="*--headless*" AND Processes.process="*--disable-gpu*")
by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `headless_browser_usage_filter`
Windows Chromium process Launched with Disable Popup Blocking
- source: splunk
- technicques:
- T1497
Description
The following analytic detects instances where a Windows Chromium-based browser process is launched with the --disable-popup-blocking flag. This flag is typically used to bypass the browser’s built-in pop-up protections, allowing automatic execution of pop-ups or redirects without user interaction. While legitimate in some testing or automation scenarios, its presence on endpoints, particularly when combined with other automation or concealment flags, may indicate attempts by malicious actors to execute web-based content stealthily or evade user interaction controls, representing a potential security risk that warrants investigation.
Detection logic
| tstats `security_content_summariesonly` min(_time) as firstTime max(_time)
as lastTime from datamodel=Endpoint.Processes
where Processes.process_name IN ("Chrome.exe","Brave.exe", "Opera.exe", "Vivaldi.exe", "msedge.exe")
Processes.process = "*--disable-popup-blocking*"
by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec
Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_chromium_process_launched_with_disable_popup_blocking_filter`
Windows Chromium Process with Disabled Extensions
- source: splunk
- technicques:
- T1497
Description
The following analytic detects instances of Chromium-based browser processes on Windows launched with extensions explicitly disabled via command-line arguments. Disabling extensions can be used by automation frameworks, testing tools, or headless browser activity, but may also indicate defense evasion or abuse of browser functionality by malicious scripts or malware. This behavior reduces browser visibility and bypasses user-installed security extensions, making it relevant for detecting non-interactive execution, suspicious automation, or living-off-the-land techniques. Analysts should validate execution context, parent process, and command-line parameters to determine legitimacy.
Detection logic
| tstats `security_content_summariesonly` min(_time) as firstTime max(_time)
as lastTime from datamodel=Endpoint.Processes
where Processes.process_name IN ("Chrome.exe","Brave.exe", "Opera.exe", "Vivaldi.exe", "msedge.exe")
Processes.process = "*--disable-extensions*"
by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec
Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_chromium_process_with_disabled_extensions_filter`