Techniques
Sample rules
Cisco NVM - Suspicious File Download via Headless Browser
- source: splunk
- technicques:
- T1105
- T1059
Description
This analytic identifies the use of Chromium-based browsers (like Microsoft Edge) running in headless mode with the --dump-dom
argument.
This behavior has been observed in attack campaigns such as DUCKTAIL, where browsers are automated to stealthily download content from the internet using direct URLs or suspicious hosting platforms.
The detection focuses on identifying connections to known file-sharing domains or direct IPs extracted from command-line arguments and cross-checks those against the destination of the flow.
Since it leverages Cisco Network Visibility Module telemetry, the rule triggers only if a network connection is made.
Detection logic
`cisco_network_visibility_module_flowdata`
``` Usually the initiator of the connection is the child process, meaning the parent will contain the suspicious command.```
(
parent_process_name IN ("brave.exe", "chrome.exe", "msedge.exe", "opera.exe", "vivaldi.exe")
OR
process_name IN ("brave.exe", "chrome.exe", "msedge.exe", "opera.exe", "vivaldi.exe")
)
(
(parent_process_arguments="*--headless*" parent_process_arguments="*--dump-dom*")
OR
(process_arguments="*--headless*" process_arguments="*--dump-dom*")
)
NOT dest IN (
"10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10",
"127.0.0.0/8", "169.254.0.0/16", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32",
"192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24",
"192.31.196.0/24", "192.52.193.0/24", "192.88.99.0/24", "224.0.0.0/4", "192.175.48.0/24",
"198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1"
)
``` In order to avoid matching with any public IP, we extract the IP value from the CommandLine and filter on it```
| rex field=parent_process_arguments "(?i)\\b(?:https?
|ftp)://(?<extracted_ip_parent>(?:\\d{1,3}\\.){3}\\d{1,3})"
| rex field=process_arguments "(?i)\\b(?:https?
|ftp)://(?<extracted_ip_child>(?:\\d{1,3}\\.){3}\\d{1,3})"
| eval direct_ip_match=if(dest == extracted_ip_child, 1, if(dest == extracted_ip_parent, 1, 0))
| where (
dest_hostname IN (
"*.githubusercontent.com*", "*anonfiles.com*", "*cdn.discordapp.com*", "*ddns.net*",
"*dl.dropboxusercontent.com*", "*ghostbin.co*", "*glitch.me*", "*gofile.io*",
"*hastebin.com*", "*mediafire.com*", "*mega.nz*", "*onrender.com*", "*pages.dev*",
"*paste.ee*", "*pastebin.*", "*pastetext.net*", "*privatlab.*",
"*send.exploit.in*", "*sendspace.com*", "*storage.googleapis.com*",
"*storjshare.io*", "*supabase.co*", "*temp.sh*", "*transfer.sh*", "*trycloudflare.com*",
"*ufile.io*", "*w3spaces.com*", "*workers.dev*"
)
OR direct_ip_match = 1
)
| stats count min(_time) as firstTime max(_time) as lastTime
values(parent_process_arguments) as parent_process_arguments
values(process_arguments) as process_arguments
values(parent_process_hash) as parent_process_hash
values(process_hash) as process_hash
values(module_name_list) as module_name_list
values(module_hash_list) as module_hash_list
values(dest_port) as dest_port
values(aliul) as additional_logged_in_users_list
values(dest_hostname) as dest_hostname
by src dest parent_process_path parent_process_name parent_process_integrity_level process_path process_name process_integrity_level process_id transport
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| table
parent_process_integrity_level parent_process_path parent_process_name parent_process_arguments parent_process_hash
process_integrity_level process_path process_name process_arguments process_hash process_id
additional_logged_in_users_list module_name_list module_hash_list
src dest_hostname dest dest_port transport firstTime lastTime
| `cisco_nvm___suspicious_file_download_via_headless_browser_filter`