Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Chromium Browser Headless Execution To Mockbin Like Site

Detects the execution of a Chromium based browser process with the "headless" flag and a URL pointing to the mockbin.org service (which can be used to exfiltrate data).

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
X__Junior (Nextron Systems)Created Mon Sep 111c526788-0abe-4713-862f-b520da5e5316windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic3 selectors
detection:
    selection_img:
        Image|endswith:
            - '\brave.exe'
            - '\chrome.exe'
            - '\msedge.exe'
            - '\opera.exe'
            - '\vivaldi.exe'
    selection_headless:
        CommandLine|contains: '--headless'
    selection_url:
        CommandLine|contains:
            - '://run.mocky'
            - '://mockbin'
    condition: all of selection_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
zscaler.com
Testing & Validation

Regression Tests

by SigmaHQ Team
Positive Detection Testevtx

Microsoft-Windows-Sysmon

EVTX JSON
MITRE ATT&CK
Rule Metadata
Rule ID
1c526788-0abe-4713-862f-b520da5e5316
Status
test
Level
high
Type
Detection
Created
Mon Sep 11
Author
X__Junior (Nextron Systems)
Path
rules/windows/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse.yml
Raw Tags
attack.execution
View on GitHub