Was an Incognito/Private browser session used?

ID: Q1024

Approaches to Answer

• Search CrowdStrike logs for Incognito Chrome processes [Q1024.10]
  • CrowdStrike records the source process ID (ContextProcessId) for ProcessRollup events.
  • Tags: CrowdStrike Process Execution Web Browser

Approaches

Note

There are often multiple ways to approach answering a question. This section explains the approaches considered, how they work, and any benefits or drawbacks to each. All these approaches have different pros and cons. They can be used individually or in conjunction.

Search CrowdStrike logs for Incognito Chrome processes

🗂️ Explanation

Crowdstrike is a detection platform, not a logging platform, so not all executions are logged. We cannot always connect a running browser process with observed DNS requests. When we do see DNS requests coming from a browser process, yet we don't see browsing history, there are several possible explanations, including browser extensions or private browsing.

References

• https://www.crowdstrike.com/blog/tech-center/hunt-threat-activity-falcon-endpoint-protection/

📝 Notes

Each approach comes with certain caveats or limitations. These can often be tacit knowledge or assumed that "everyone knows that" (even though they don't). This can lead to incorrect assumptions and analysis. Explicitly stating what is covered and not covered by the approach reduces ambiguity.

Covered

• Chrome on Mac, Linux, and Windows hosts with a CrowdStrike Falcon agent

Not Covered

• Chrome instances with a renamed process
• Other Chromium-based browsers

💾 Data

The following data source(s) are needed for this approach to the question.

• CrowdStrike: ProcessRollup

⚙️ Processors

A processor is what takes the data collected and processes it in some way to produce structured data for an investigator to review. Multiple processor options can be defined, as there are often multiple programs capable of doing similar processing. Plaso is an example of a processor (it processes raw artifacts into a timeline). After the data is processed, additional analysis steps may be needed to answer the question.

The following processors can process the raw data specified above. Explicit instructions on how to run the processor are not included here, but any relevant configuration options are.

Splunk

More information on Splunk.

📊 Analysis

After processing the raw data, further analysis steps are necessary to answer the question. After loading Splunk's output into one of these analysis platforms, use the following steps to refine the data to answer the question.

Splunk-Query

1. Query searching for browser processes executed in private mode
2. Type: splunk-query
3. Value: ComputerName="{hostname}" event_simpleName=ProcessRollup* CommandLine IN ("chrome") CommandLine IN (disable-databases) | table _time, DomainName, CommandLine