| ID | Technique | Tactic |
|---|---|---|
| T1497 | Virtualization/Sandbox Evasion | Defense Evasion |
Detection: Windows Chromium Browser Launched with Small Window Size
Description
The following analytic detects instances where a Chromium-based browser process, including Chrome, Edge, Brave, Opera, or Vivaldi, is launched with an unusually small window size, typically less than 100 pixels in width or height. Such configurations render the browser effectively invisible to the user and are uncommon in normal user activity. When observed on endpoints, especially in combination with automation, off-screen positioning, or suppression flags, this behavior may indicate attempts to execute web content or automated actions stealthily, bypassing user interaction and security controls. This analytic highlights potential malicious automation or covert browser-based activity.
Search
1
2| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
3where Processes.process_name IN ("Chrome.exe","Brave.exe", "Opera.exe", "Vivaldi.exe", "msedge.exe")
4Processes.process = "*--window-size*"
5by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
6 Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
7 Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec
8 Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level
9 Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
10
11| rex field=Processes.process "--window-size=(?<window_width>\d+)\s*,\s*(?<window_height>\d+)"
12
13| eval window_width=tonumber(window_width), window_height=tonumber(window_height)
14
15| where window_height < 100 AND window_width < 100
16
17| `drop_dm_object_name(Processes)`
18
19| fields * window_width window_height
20
21| `security_content_ctime(firstTime)`
22
23| `security_content_ctime(lastTime)`
24
25| `windows_chromium_browser_launched_with_small_window_size_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| CrowdStrike ProcessRollup2 | Other | 'crowdstrike:events:sensor' |
'crowdstrike' |
| Sysmon EventID 1 |  Windows |
'XmlWinEventLog' |
'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' |
| Windows Event Log Security 4688 | Windows |
'XmlWinEventLog' |
'XmlWinEventLog:Security' |
Macros Used
| Name | Value |
|---|---|
| security_content_ctime | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$) |
| windows_chromium_browser_launched_with_small_window_size_filter | search * |
windows_chromium_browser_launched_with_small_window_size_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Exploitation
DE.CM
CIS 10
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Notable | Yes |
| Rule Title | %name% |
| Rule Description | %description% |
| Notable Event Fields | user, dest |
| Creates Risk Event | True |
This configuration file applies to all detections of type TTP. These detections will use Risk Based Alerting and generate Notable Events.
Implementation
To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the Endpoint datamodel in the Processes node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.
Known False Positives
No false positives have been identified at this time.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message:
A Chromium-based browser process was launched on $dest$ by user $user$ with an unusually small window size ($window_width$ x $window_height$ pixels). The process was spawned by $parent_process_name$ and included the following command-line parameters $process$.
| Risk Object | Risk Object Type | Risk Score | Threat Objects |
|---|---|---|---|
| dest | system | 50 | parent_process, parent_process_name, process |
| user | user | 50 | parent_process, parent_process_name, process |
References
-
https://www.trendmicro.com/en_us/research/26/a/analysis-of-the-evelyn-stealer-campaign.html
-
https://peter.sh/experiments/chromium-command-line-switches/
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
XmlWinEventLog |
| Integration | ✅ Passing | Dataset | XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
XmlWinEventLog |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 1