LoFP LoFP / some internal automation frameworks may invoke chromium browsers in headless mode to programmatically access internal services or webpages. these tools may occasionally download legitimate resources as part of their normal behavior. tuning based on command-line patterns or known dest hostnames may be required to avoid noise.

Techniques

Sample rules

Cisco NVM - Suspicious File Download via Headless Browser

Description

This analytic identifies the use of Chromium-based browsers (like Microsoft Edge) running in headless mode with the --dump-dom argument. This behavior has been observed in attack campaigns such as DUCKTAIL, where browsers are automated to stealthily download content from the internet using direct URLs or suspicious hosting platforms. The detection focuses on identifying connections to known file-sharing domains or direct IPs extracted from command-line arguments and cross-checks those against the destination of the flow. Since it leverages Cisco Network Visibility Module telemetry, the rule triggers only if a network connection is made.

Detection logic

`cisco_network_visibility_module_flowdata`

 ``` Usually the initiator of the connection is the child process, meaning the parent will contain the suspicious command.``` 

 (
   parent_process_name IN ("brave.exe", "chrome.exe", "msedge.exe", "opera.exe", "vivaldi.exe")
   OR
   process_name IN ("brave.exe", "chrome.exe", "msedge.exe", "opera.exe", "vivaldi.exe")
 )
 (
   (parent_process_arguments="*--headless*" parent_process_arguments="*--dump-dom*")
   OR
   (process_arguments="*--headless*" process_arguments="*--dump-dom*")
 )
 NOT dest IN (
         "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10", 
         "127.0.0.0/8", "169.254.0.0/16", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", 
         "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", 
         "192.31.196.0/24", "192.52.193.0/24", "192.88.99.0/24", "224.0.0.0/4", "192.175.48.0/24", 
         "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1"
         )

 ``` In order to avoid matching with any public IP, we extract the IP value from the CommandLine and filter on it```

 
| rex field=parent_process_arguments "(?i)\\b(?:https?
|ftp)://(?<extracted_ip_parent>(?:\\d{1,3}\\.){3}\\d{1,3})"
 
| rex field=process_arguments "(?i)\\b(?:https?
|ftp)://(?<extracted_ip_child>(?:\\d{1,3}\\.){3}\\d{1,3})"
 
| eval direct_ip_match=if(dest == extracted_ip_child, 1, if(dest == extracted_ip_parent, 1, 0))

 
| where (
     dest_hostname IN (
         "*.githubusercontent.com*", "*anonfiles.com*", "*cdn.discordapp.com*", "*ddns.net*",
         "*dl.dropboxusercontent.com*", "*ghostbin.co*", "*glitch.me*", "*gofile.io*",
         "*hastebin.com*", "*mediafire.com*", "*mega.nz*", "*onrender.com*", "*pages.dev*",
         "*paste.ee*", "*pastebin.*", "*pastetext.net*", "*privatlab.*",
         "*send.exploit.in*", "*sendspace.com*", "*storage.googleapis.com*",
         "*storjshare.io*", "*supabase.co*", "*temp.sh*", "*transfer.sh*", "*trycloudflare.com*",
         "*ufile.io*", "*w3spaces.com*", "*workers.dev*"
     )
     OR direct_ip_match = 1
   )

 
| stats count min(_time) as firstTime max(_time) as lastTime
         values(parent_process_arguments) as parent_process_arguments
         values(process_arguments) as process_arguments
         values(parent_process_hash) as parent_process_hash
         values(process_hash) as process_hash
         values(module_name_list) as module_name_list
         values(module_hash_list) as module_hash_list
         values(dest_port) as dest_port
         values(aliul) as additional_logged_in_users_list
         values(dest_hostname) as dest_hostname
         by src dest parent_process_path parent_process_name parent_process_integrity_level process_path process_name process_integrity_level process_id transport
 
| `security_content_ctime(firstTime)`
 
| `security_content_ctime(lastTime)`
 
| table
   parent_process_integrity_level parent_process_path parent_process_name parent_process_arguments parent_process_hash
   process_integrity_level process_path process_name process_arguments process_hash process_id
   additional_logged_in_users_list module_name_list module_hash_list
   src dest_hostname dest dest_port transport firstTime lastTime
 
| `cisco_nvm___suspicious_file_download_via_headless_browser_filter`