|
| 1 | +name: Windows Chromium Browser No Security Sandbox Process |
| 2 | +id: 314cb263-7eeb-4d45-b693-bb21699c73d2 |
| 3 | +version: 1 |
| 4 | +date: '2025-05-26' |
| 5 | +author: Teoderick Contreras, Splunk |
| 6 | +status: production |
| 7 | +type: TTP |
| 8 | +description: The following analytic detects instances where a Chrome or Chromium-based browser is launched with the --no-sandbox flag, a known indicator of potentially malicious or suspicious behavior. While this flag is occasionally used during software development or testing, it is rarely seen in normal user activity. Threat actors often abuse this setting to disable Chrome’s built-in security sandbox, making it easier to execute malicious code or escape browser isolation. This behavior is commonly observed in malware droppers or loaders that embed Chromium components for command and control, credential theft, or UI spoofing. Analysts should investigate such events, especially if they originate from unusual parent processes (e.g., powershell.exe, cmd.exe, or unknown binaries), or if accompanied by other indicators such as file drops, process injection, or outbound network activity. Filtering by command-line arguments and process ancestry can help reduce false positives and surface high-fidelity detections. |
| 9 | +data_source: |
| 10 | +- Sysmon EventID 1 |
| 11 | +- Windows Event Log Security 4688 |
| 12 | +- CrowdStrike ProcessRollup2 |
| 13 | +search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) |
| 14 | + as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("chrome.exe","Brave.exe", "Opera.exe", "Vivaldi.exe") |
| 15 | + Processes.process = "*--no-sandbox*" |
| 16 | + by Processes.action Processes.dest Processes.original_file_name Processes.parent_process |
| 17 | + Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id |
| 18 | + Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec |
| 19 | + Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level |
| 20 | + Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product |
| 21 | + | `drop_dm_object_name(Processes)` |
| 22 | + | `security_content_ctime(firstTime)` |
| 23 | + | `security_content_ctime(lastTime)` |
| 24 | + | `windows_chromium_browser_no_security_sandbox_process_filter`' |
| 25 | +how_to_implement: To successfully implement this search you need to be ingesting information |
| 26 | + on process that include the name of the process responsible for the changes from |
| 27 | + your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, |
| 28 | + confirm the latest CIM App 4.20 or higher is installed and the latest TA for the |
| 29 | + endpoint product. |
| 30 | +known_false_positives: Administrators may enable or disable this feature that may |
| 31 | + cause some false positive. |
| 32 | +references: |
| 33 | +- https://unix.stackexchange.com/questions/68832/what-does-the-chromium-option-no-sandbox-mean |
| 34 | +drilldown_searches: |
| 35 | +- name: View the detection results for - "$user$" and "$dest$" |
| 36 | + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' |
| 37 | + earliest_offset: $info_min_time$ |
| 38 | + latest_offset: $info_max_time$ |
| 39 | +- name: View risk events for the last 7 days for - "$user$" and "$dest$" |
| 40 | + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", |
| 41 | + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) |
| 42 | + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk |
| 43 | + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) |
| 44 | + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" |
| 45 | + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' |
| 46 | + earliest_offset: $info_min_time$ |
| 47 | + latest_offset: $info_max_time$ |
| 48 | +rba: |
| 49 | + message: A chrome process with the --no-sandbox flag was launched on $dest$ by user $user$. |
| 50 | + risk_objects: |
| 51 | + - field: dest |
| 52 | + type: system |
| 53 | + score: 60 |
| 54 | + threat_objects: |
| 55 | + - field: parent_process_name |
| 56 | + type: parent_process_name |
| 57 | +tags: |
| 58 | + analytic_story: |
| 59 | + - Malicious Inno Setup Loader |
| 60 | + asset_type: Endpoint |
| 61 | + mitre_attack_id: |
| 62 | + - T1497 |
| 63 | + product: |
| 64 | + - Splunk Enterprise |
| 65 | + - Splunk Enterprise Security |
| 66 | + - Splunk Cloud |
| 67 | + security_domain: endpoint |
| 68 | +tests: |
| 69 | +- name: True Positive Test |
| 70 | + attack_data: |
| 71 | + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1497/chrom_no_sandbox/chrome-no_sandbox.log |
| 72 | + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| 73 | + sourcetype: XmlWinEventLog |
0 commit comments