← Library
splApache-2.0from splunk/security_content

Windows Chromium Browser Launched with Small Window Size

The following analytic detects instances where a Chromium-based browser process, including Chrome, Edge, Brave, Opera, or Vivaldi, is launched with an unusually small window size, typically less than 100 pixels in width or height. Such configurations render the browser effectively invisible to the user and are uncommon in normal user activity. When observed on endpoints, especially in combination with automation, off-screen positioning, or suppression flags, this behavior may indicate attempts to execute web content or automated actions stealthily, bypassing user interaction and security controls. This analytic highlights potential malicious automation or covert browser-based activity.

Quality
59
FP risk
Forks
0
Views
0
Rule sourcedetections/endpoint/windows_chromium_browser_launched_with_small_window_size.yml
| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
where Processes.process_name IN ("Chrome.exe","Brave.exe", "Opera.exe", "Vivaldi.exe", "msedge.exe")
Processes.process = "*--window-size*"
by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
   Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
   Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec
   Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level
   Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
| rex field=Processes.process "--window-size=(?<window_width>\d+)\s*,\s*(?<window_height>\d+)"
| eval window_width=tonumber(window_width), window_height=tonumber(window_height)
| where window_height < 100 AND window_width < 100
| `drop_dm_object_name(Processes)`
| fields * window_width window_height
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_chromium_browser_launched_with_small_window_size_filter`