Windows Chromium Browser Launched with Small Window Size

name: Windows Chromium Browser Launched with Small Window Size
id: 88103f56-8f5c-411f-a87f-71bee776f140
version: 5
creation_date: '2026-02-02'
modification_date: '2026-05-13'
author: Teoderick Contreras, Splunk
status: production
type: TTP
description: The following analytic detects instances where a Chromium-based browser process, including Chrome, Edge, Brave, Opera, or Vivaldi, is launched with an unusually small window size, typically less than 100 pixels in width or height. Such configurations render the browser effectively invisible to the user and are uncommon in normal user activity. When observed on endpoints, especially in combination with automation, off-screen positioning, or suppression flags, this behavior may indicate attempts to execute web content or automated actions stealthily, bypassing user interaction and security controls. This analytic highlights potential malicious automation or covert browser-based activity.
data_source:
    - Sysmon EventID 1
    - Windows Event Log Security 4688
    - CrowdStrike ProcessRollup2
search: |
    | tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
    where Processes.process_name IN ("Chrome.exe","Brave.exe", "Opera.exe", "Vivaldi.exe", "msedge.exe")
    Processes.process = "*--window-size*"
    by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
       Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
       Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec
       Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level
       Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
    | rex field=Processes.process "--window-size=(?<window_width>\d+)\s*,\s*(?<window_height>\d+)"
    | eval window_width=tonumber(window_width), window_height=tonumber(window_height)
    | where window_height < 100 AND window_width < 100
    | `drop_dm_object_name(Processes)`
    | fields * window_width window_height
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | `windows_chromium_browser_launched_with_small_window_size_filter`
how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.
known_false_positives: No false positives have been identified at this time.
references:
    - https://www.trendmicro.com/en_us/research/26/a/analysis-of-the-evelyn-stealer-campaign.html
    - https://peter.sh/experiments/chromium-command-line-switches/
drilldown_searches:
    - name: View the detection results for - "$user$" and "$dest$"
      search: '%original_detection_search% | search  user = "$user$" dest = "$dest$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$user$" and "$dest$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: 7d
      latest_offset: "0"
finding:
    title: A Chromium-based browser process was launched on $dest$ by user $user$ with an unusually small window size ($window_width$ x $window_height$ pixels). The process was spawned by $parent_process_name$ and included the following command-line parameters $process$.
    entity:
        field: user
        type: user
        score: 50
intermediate_findings:
    entities:
        - field: dest
          type: system
          score: 50
          message: A Chromium-based browser process was launched on $dest$ by user $user$ with an unusually small window size ($window_width$ x $window_height$ pixels). The process was spawned by $parent_process_name$ and included the following command-line parameters $process$.
threat_objects:
    - field: parent_process
      type: parent_process
    - field: parent_process_name
      type: parent_process_name
    - field: process
      type: process
analytic_story:
    - Browser Hijacking
asset_type: Endpoint
mitre_attack_id:
    - T1497
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: endpoint
security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1497/chrome_disable_popup/chrome_disable_popup.log
          source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
          sourcetype: XmlWinEventLog
      test_type: unit