| ID | Technique | Tactic |
|---|---|---|
| T1105 | Ingress Tool Transfer | Command And Control |
| T1059 | Command and Scripting Interpreter | Execution |
Detection: Cisco NVM - Suspicious File Download via Headless Browser
Description
This analytic identifies the use of Chromium-based browsers (like Microsoft Edge) running in headless mode with the --dump-dom argument.
This behavior has been observed in attack campaigns such as DUCKTAIL, where browsers are automated to stealthily download content from the internet using direct URLs or suspicious hosting platforms.
The detection focuses on identifying connections to known file-sharing domains or direct IPs extracted from command-line arguments and cross-checks those against the destination of the flow.
Since it leverages Cisco Network Visibility Module telemetry, the rule triggers only if a network connection is made.
Search
1`cisco_network_visibility_module_flowdata`
2
3 ``` Usually the initiator of the connection is the child process, meaning the parent will contain the suspicious command.```
4
5 (
6 parent_process_name IN ("brave.exe", "chrome.exe", "msedge.exe", "opera.exe", "vivaldi.exe")
7 OR
8 process_name IN ("brave.exe", "chrome.exe", "msedge.exe", "opera.exe", "vivaldi.exe")
9 )
10 (
11 (parent_process_arguments="*--headless*" parent_process_arguments="*--dump-dom*")
12 OR
13 (process_arguments="*--headless*" process_arguments="*--dump-dom*")
14 )
15 NOT dest IN (
16 "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10",
17 "127.0.0.0/8", "169.254.0.0/16", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32",
18 "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24",
19 "192.31.196.0/24", "192.52.193.0/24", "192.88.99.0/24", "224.0.0.0/4", "192.175.48.0/24",
20 "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1"
21 )
22
23 ``` In order to avoid matching with any public IP, we extract the IP value from the CommandLine and filter on it```
24
25
26| rex field=parent_process_arguments "(?i)\\b(?:https?
27|ftp)://(?<extracted_ip_parent>(?:\\d{1,3}\\.){3}\\d{1,3})"
28
29| rex field=process_arguments "(?i)\\b(?:https?
30|ftp)://(?<extracted_ip_child>(?:\\d{1,3}\\.){3}\\d{1,3})"
31
32| eval direct_ip_match=if(dest == extracted_ip_child, 1, if(dest == extracted_ip_parent, 1, 0))
33
34
35| where (
36 dest_hostname IN (
37 "*.githubusercontent.com*", "*anonfiles.com*", "*cdn.discordapp.com*", "*ddns.net*",
38 "*dl.dropboxusercontent.com*", "*ghostbin.co*", "*glitch.me*", "*gofile.io*",
39 "*hastebin.com*", "*mediafire.com*", "*mega.nz*", "*onrender.com*", "*pages.dev*",
40 "*paste.ee*", "*pastebin.*", "*pastetext.net*", "*privatlab.*",
41 "*send.exploit.in*", "*sendspace.com*", "*storage.googleapis.com*",
42 "*storjshare.io*", "*supabase.co*", "*temp.sh*", "*transfer.sh*", "*trycloudflare.com*",
43 "*ufile.io*", "*w3spaces.com*", "*workers.dev*"
44 )
45 OR direct_ip_match = 1
46 )
47
48
49| stats count min(_time) as firstTime max(_time) as lastTime
50 values(parent_process_arguments) as parent_process_arguments
51 values(process_arguments) as process_arguments
52 values(parent_process_hash) as parent_process_hash
53 values(process_hash) as process_hash
54 values(module_name_list) as module_name_list
55 values(module_hash_list) as module_hash_list
56 values(dest_port) as dest_port
57 values(aliul) as additional_logged_in_users_list
58 values(dest_hostname) as dest_hostname
59 by src dest parent_process_path parent_process_name parent_process_integrity_level process_path process_name process_integrity_level process_id transport
60
61| `security_content_ctime(firstTime)`
62
63| `security_content_ctime(lastTime)`
64
65| table
66 parent_process_integrity_level parent_process_path parent_process_name parent_process_arguments parent_process_hash
67 process_integrity_level process_path process_name process_arguments process_hash process_id
68 additional_logged_in_users_list module_name_list module_hash_list
69 src dest_hostname dest dest_port transport firstTime lastTime
70
71| `cisco_nvm___suspicious_file_download_via_headless_browser_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Cisco Network Visibility Module Flow Data |  Network |
'cisco:nvm:flowdata' |
'not_applicable' |
Macros Used
| Name | Value |
|---|---|
| cisco_network_visibility_module_flowdata | sourcetype="cisco:nvm:flowdata" |
| cisco_nvm___suspicious_file_download_via_headless_browser_filter | search * |
cisco_nvm___suspicious_file_download_via_headless_browser_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Command and Control
Installation
DE.CM
CIS 10
APT18
APT19
APT28
APT29
APT3
APT32
APT33
APT37
APT38
APT39
APT41
Ajax Security Team
Andariel
Aquatic Panda
BITTER
BRONZE BUTLER
BackdoorDiplomacy
BlackByte
Chimera
Cinnamon Tempest
Cobalt Group
Confucius
Daggerfly
Darkhotel
Dragonfly
Elderwood
Evilnum
FIN13
FIN5
FIN6
FIN7
FIN8
Fox Kitten
GALLIUM
Gamaredon Group
Gorgon Group
HAFNIUM
HEXANE
INC Ransom
IndigoZebra
Indrik Spider
Ke3chang
Kimsuky
Lazarus Group
LazyScripter
Leviathan
LuminousMoth
Magic Hound
Metador
Molerats
Moonstone Sleet
Moses Staff
MuddyWater
Mustang Panda
Mustard Tempest
Nomadic Octopus
OilRig
PLATINUM
Patchwork
Play
Rancor
Rocke
Saint Bear
Sandworm Team
SideCopy
Sidewinder
Silence
Stealth Falcon
Storm-1811
TA2541
TA505
TA551
TeamTNT
Threat Group-3390
Tonto Team
Tropic Trooper
Turla
Volatile Cedar
Volt Typhoon
WIRTE
Whitefly
Windigo
Windshift
Winnti Group
Winter Vivern
Wizard Spider
ZIRCONIUM
menuPass
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Notable | Yes |
| Rule Title | %name% |
| Rule Description | %description% |
| Notable Event Fields | user, dest |
| Creates Risk Event | True |
This configuration file applies to all detections of type TTP. These detections will use Risk Based Alerting and generate Notable Events.
Implementation
This search requires Network Visibility Module logs, which includes the flow data sourcetype.
This search uses an input macro named cisco_network_visibility_module_flowdata.
We strongly recommend that you specify your environment-specific configurations
(index, source, sourcetype, etc.) for Cisco Network Visibility Module logs.
Replace the macro definition with configurations for your Splunk environment.
The search also uses a post-filter macro designed to filter out known false positives.
The logs are to be ingested using the Splunk Add-on for Cisco Endpoint Security Analytics (CESA) (https://splunkbase.splunk.com/app/4221).
Known False Positives
Some internal automation frameworks may invoke Chromium browsers in headless mode to programmatically access internal services or webpages. These tools may occasionally download legitimate resources as part of their normal behavior. Tuning based on command-line patterns or known dest hostnames may be required to avoid noise.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message:
Suspicious file download using the Chromium-based browser $parent_process_name$ via the commandline $process_arguments$. Observed on host $src$ communicating with $dest$ / $dest_hostname$
| Risk Object | Risk Object Type | Risk Score | Threat Objects |
|---|---|---|---|
| src | system | 40 | process_name |
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | not_applicable |
cisco:nvm:flowdata |
| Integration | ✅ Passing | Dataset | not_applicable |
cisco:nvm:flowdata |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 1