Detects execution of chromium based browser in headless mode using the “dump-dom” command line to download files
title: File Download with Headless Browser
id: 0e8cfe08-02c9-4815-a2f8-0d157b7ed33e
related:
- id: ef9dcfed-690c-4c5d-a9d1-482cd422225c
type: derived
status: test
description: Detects execution of chromium based browser in headless mode using the "dump-dom" command line to download files
references:
- https://twitter.com/mrd0x/status/1478234484881436672?s=12
- https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html
author: Sreeman, Florian Roth (Nextron Systems)
date: 2022-01-04
modified: 2025-10-07
tags:
- attack.command-and-control
- attack.stealth
- attack.t1105
- attack.t1564.003
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\brave.exe'
- '\chrome.exe'
- '\msedge.exe'
- '\opera.exe'
- '\vivaldi.exe'
CommandLine|contains|all:
- '--headless'
- 'dump-dom'
- 'http'
filter_optional_edge_1:
Image|startswith:
- 'C:\Program Files (x86)\Microsoft\Edge\Application\'
- 'C:\Program Files (x86)\Microsoft\EdgeCore\'
- 'C:\Program Files (x86)\Microsoft\EdgeWebView\'
- 'C:\Program Files\Microsoft\Edge\Application\'
- 'C:\Program Files\Microsoft\EdgeCore\'
- 'C:\Program Files\Microsoft\EdgeWebView\'
- 'C:\Program Files\WindowsApps\Microsoft.MicrosoftEdge'
Image|endswith:
- '\msedge.exe'
- '\msedgewebview2.exe'
- '\MicrosoftEdge.exe'
CommandLine|contains: '--headless --disable-gpu --disable-extensions --disable-plugins --mute-audio --no-first-run --incognito --aggressive-cache-discard --dump-dom'
filter_optional_edge_2:
Image|contains:
- '\AppData\Local\Microsoft\WindowsApps\'
- '\Windows\SystemApps\Microsoft.MicrosoftEdge'
Image|endswith:
- '\msedge.exe'
- '\MicrosoftEdge.exe'
CommandLine|contains: '--headless --disable-gpu --disable-extensions --disable-plugins --mute-audio --no-first-run --incognito --aggressive-cache-discard --dump-dom'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download/info.yml
imProcessCreate
| where ((TargetProcessName endswith "\\brave.exe" or TargetProcessName endswith "\\chrome.exe" or TargetProcessName endswith "\\msedge.exe" or TargetProcessName endswith "\\opera.exe" or TargetProcessName endswith "\\vivaldi.exe") and (TargetProcessCommandLine contains "--headless" and TargetProcessCommandLine contains "dump-dom" and TargetProcessCommandLine contains "http")) and (not((((TargetProcessName startswith "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\" or TargetProcessName startswith "C:\\Program Files (x86)\\Microsoft\\EdgeCore\\" or TargetProcessName startswith "C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\" or TargetProcessName startswith "C:\\Program Files\\Microsoft\\Edge\\Application\\" or TargetProcessName startswith "C:\\Program Files\\Microsoft\\EdgeCore\\" or TargetProcessName startswith "C:\\Program Files\\Microsoft\\EdgeWebView\\" or TargetProcessName startswith "C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftEdge") and (TargetProcessName endswith "\\msedge.exe" or TargetProcessName endswith "\\msedgewebview2.exe" or TargetProcessName endswith "\\MicrosoftEdge.exe") and TargetProcessCommandLine contains "--headless --disable-gpu --disable-extensions --disable-plugins --mute-audio --no-first-run --incognito --aggressive-cache-discard --dump-dom") or ((TargetProcessName contains "\\AppData\\Local\\Microsoft\\WindowsApps\\" or TargetProcessName contains "\\Windows\\SystemApps\\Microsoft.MicrosoftEdge") and (TargetProcessName endswith "\\msedge.exe" or TargetProcessName endswith "\\MicrosoftEdge.exe") and TargetProcessCommandLine contains "--headless --disable-gpu --disable-extensions --disable-plugins --mute-audio --no-first-run --incognito --aggressive-cache-discard --dump-dom"))))| Sentinel Table | Notes |
|---|---|
imProcessCreate | Ensure this data connector is enabled |