401. Threat Actors Abuse Browser Kiosk Mode to Distract Victims

Hello everyone!

Today we'll look at another interesting example of how attackers abuse the browser. This time, they used it to distract the victim.

According to this report, to distract the user and buy the time needed for their scripts to execute properly, the attackers used the service fakeupdate[.]net, which displays a fake Windows update screen.

To do this, the attackers launched Microsoft Edge in kiosk mode:

start msedge.exe --kiosk https://fakeupdate[.]net/win10ue --edge-kiosk-type=fullscreen

Of course, attackers can host similar pages on their own servers. Nevertheless, this browser launch mode provides an opportunity to hunt for suspicious activity using the following detection logic:

event_type: "processcreatewin"

AND

proc_file_path: "msedge.exe"

AND

cmdline: ("kiosk" AND "fullscreen")

See you soon!

Comments

Popular posts from this blog

391. Hunting for TeamPCP's Stealer

343. Ransomware Gangs Abuse SystemSettingsAdminFlows to Evade Defenses

324. Adversaries Use HideMouse to Hide Evidence of Remote Access