Detection rules › Splunk
Windows Browser Process Launched with Unusual Flags
The following analytic detects the use of unusual browser flags, specifically --mute-audio and --do-not-elevate, which deviate from standard browser launch behavior. These flags may indicate automated scripts, testing environments, or attempts to modify browser functionality for silent operation or restricted privilege execution. Detection focuses on non-standard launch parameters, unexpected process behavior, or deviations from baseline configurations. Monitoring such flag usage helps identify potentially suspicious activity, misconfigurations, or policy violations, enabling security teams to investigate anomalies, ensure system compliance, and differentiate legitimate administrative or testing uses from unusual or unauthorized operations.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Collection | T1185 Browser Session Hijacking |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
Stages and Predicates
Stage 1: tstats
tstats WHERE NOT Processes.parent_process_name IN ("brave.exe", "chrome.exe", "explorer.exe", "firefox.exe", "msedge.exe") NOT Processes.parent_process_path IN ("C:\\Program Files*", "C:\\Windows\\SysWow64\\*", "C:\\Windows\\System32\\*") Processes.process IN ("*--do-not-de-elevate*", "*--mute-audio*", "*--no-de-elevate*") Processes.process_name IN ("brave.exe", "chrome.exe", "firefox.exe", "msedge.exe") BY Processes.action, Processes.dest, Processes.original_file_name, Processes.parent_process, Processes.parent_process_exec, Processes.parent_process_guid, Processes.parent_process_id, Processes.parent_process_name, Processes.parent_process_path, Processes.process, Processes.process_exec, Processes.process_guid, Processes.process_hash, Processes.process_id, Processes.process_integrity_level, Processes.process_name, Processes.process_path, Processes.user, Processes.user_id, Processes.vendor_product
Stage 2: search
search
Stage 3: search
search
Stage 4: search
search
Stage 5: search
search `macro`
Exclusions
Top-level NOT(...) conjuncts — predicates this rule actively suppresses.
| Stage | Field | Kind | Excluded values |
|---|---|---|---|
| 1 | ParentImage | in | "C:\\Program Files*", "C:\\Windows\\SysWow64\\*", "C:\\Windows\\System32\\*" |
| 2 | parent_process_name | in | "brave.exe", "chrome.exe", "explorer.exe", "firefox.exe", "msedge.exe" |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Processes.process | in |
|
Processes.process_name | in |
|