401. Threat Actors Abuse Browser Kiosk Mode to Distract Victims
Hello everyone! Today we'll look at another interesting example of how attackers abuse the browser. This time, they used it to distract the victim. According to this report , to distract the user and buy the time needed for their scripts to execute properly, the attackers used the service fakeupdate[.]net , which displays a fake Windows update screen. To do this, the attackers launched Microsoft Edge in kiosk mode: start msedge.exe --kiosk https://fakeupdate[.]net/win10ue --edge-kiosk-type=fullscreen Of course, attackers can host similar pages on their own servers. Nevertheless, this browser launch mode provides an opportunity to hunt for suspicious activity using the following detection logic: event_type: "processcreatewin" AND proc_file_path: "msedge.exe" AND cmdline: ("kiosk" AND "fullscreen") See you soon!