
Summary
This rule is designed to detect instances where Chromium-based browsers, such as Brave, Chrome, Microsoft Edge, Opera, and Vivaldi, are executed in headless mode. Headless mode allows these browsers to run without a graphical user interface, and this capability can be leveraged by attackers for various malicious activities, including command and control operations. The detection rule identifies execution based on the presence of specific executables ending in ".exe" and checks the command line for the inclusion of the "--headless" argument, indicating the browser is launched in headless mode. This behavior can be indicative of automated scripts or tools used for unauthorized activities, such as web scraping, data exfiltration, or interaction with malicious web services. Therefore, monitoring for such behavior is essential for detecting potential threats in a Windows environment.
Categories
- Windows
- Endpoint
- Cloud
- Other
Data Sources
- Process
Created: 2023-09-12