High RiskWindowsLegitimateCommonly Abused
chrome.exeWEB BROWSERchrome.exe - Google Chrome Browser Security Analysis
chrome.exe is the **Google Chrome web browser**, the most widely-used browser globally. Chrome's extensive feature set makes it a **high-value target** for attackers seeking credential theft, browser-based exploitation, and process injection. Chrome's **debugging port** (--remote-debugging-port) is frequently abused for **cookie theft** and **session hijacking**.
Risk Summary
HIGH priority for SOC triage. chrome.exe is the most popular browser and a prime target for credential theft and browser exploitation. Monitor for --remote-debugging-port usage, unusual child processes, profile data access, and unexpected network destinations.
Overview
What is chrome.exe?
chrome.exe is the main executable for Google Chrome, the world's most popular web browser.
Core Functions
Web Browsing:
- Chromium-based rendering engine (Blink)
- V8 JavaScript engine
- Multi-process architecture
- Extensive extension ecosystem
User Data Management:
- Encrypted credential storage
- Cookie management
- Sync with Google Account
- Password manager integration
Security Significance
- Market Dominance: #1 target for browser attacks
- Debug Port Abuse: Remote debugging exploitation
- Extension Ecosystem: Malicious extension risk
- Credential Database: Valuable theft target
Normal Behavior
Normal Behavior
Expected Process State
| Property | Expected Value |
|---|---|
| Path | C:\Program Files\Google\Chrome\Application\chrome.exe |
| Parent | explorer.exe (user launch) |
| Instances | Many (multi-process) |
| User | Logged-in user |
| Network | HTTP/HTTPS traffic |
Multi-Process Architecture
chrome.exe (browser process)
├── chrome.exe --type=gpu-process
├── chrome.exe --type=renderer
├── chrome.exe --type=utility
└── chrome.exe --type=extension
Profile Location
%LOCALAPPDATA%\Google\Chrome\User Data\Default\
├── Login Data (SQLite - encrypted passwords)
├── Cookies (SQLite)
├── History (SQLite)
└── Web Data (SQLite)
Normal Command Lines
"C:\Program Files\Google\Chrome\Application\chrome.exe"
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer
Common Locations
C:\Program Files\Google\Chrome\Application\chrome.exeC:\Program Files (x86)\Google\Chrome\Application\chrome.exe%LOCALAPPDATA%\Google\Chrome\Application\chrome.exeSuspicious Indicators
Legitimate vs Suspicious
LEGITIMATE
Path: C:\Program Files\Google\Chrome\...\chrome.exe
Parent: explorer.exe, chrome.exe
User: Logged-in user
Command: --type=renderer, --type=gpu-process
Network: HTTPS to known sites
SUSPICIOUS
Path: C:\Users\Public\chrome.exe
C:\Temp\chrome.exe
Parent: cmd.exe, powershell.exe, wscript.exe
Command: --remote-debugging-port=9222
--headless --disable-gpu
Children: cmd.exe, powershell.exe
Network: C2 connections
Dangerous Command Line Flags
| Flag | Risk | Description |
|---|---|---|
| --remote-debugging-port | CRITICAL | Enables remote control |
| --headless | HIGH | Invisible browser |
| --disable-extensions | MEDIUM | Bypass extension security |
| --no-sandbox | CRITICAL | Disables sandboxing |
Abuse Techniques
Attack Techniques
Technique #1: Debug Port Cookie Theft (T1539)
Remote Debugging Abuse:
chrome.exe --remote-debugging-port=9222
# Attacker connects to ws://localhost:9222
# Extracts cookies via DevTools protocol
Detection Rule:
Process = "chrome.exe" AND
CommandLine CONTAINS "--remote-debugging-port"
→ ALERT: CRITICAL - Potential cookie theft
Technique #2: Credential Database Theft (T1555.003)
Login Data Extraction:
# Malware targets:
$loginData = "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Login Data"
# Uses DPAPI to decrypt or exports encrypted blob
Tools:
- HackBrowserData
- ChromePass
- Mimikatz (for DPAPI keys)
Technique #3: Malicious Extensions (T1176)
Extension-Based Attacks:
- Keyloggers
- Form grabbers
- Cryptominers
- Ad injectors
Technique #4: Headless Browser Abuse
Invisible Operations:
chrome.exe --headless --disable-gpu --dump-dom http://target.com
Detection Guidance
Detection Strategies
Priority #1: Debug Port Monitoring (CRITICAL)
Sigma Rule:
title: Chrome Remote Debugging Port
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith: '\chrome.exe'
CommandLine|contains: '--remote-debugging-port'
condition: selection
level: critical
PowerShell Detection:
Get-WmiObject Win32_Process -Filter "Name='chrome.exe'" | Where-Object {
$_.CommandLine -like "*--remote-debugging-port*"
} | Select-Object ProcessId, CommandLine
Priority #2: Unusual Child Processes
ParentProcess = "chrome.exe" AND
ChildProcess IN ["cmd.exe", "powershell.exe"]
→ ALERT: HIGH
Priority #3: Profile Data Access
Process != "chrome.exe" AND
FileAccess CONTAINS "Chrome\User Data\Default" AND
FileAccess CONTAINS ["Login Data", "Cookies"]
→ ALERT: CRITICAL
Priority #4: Headless Execution
Process = "chrome.exe" AND
CommandLine CONTAINS "--headless"
→ ALERT: MEDIUM - Investigate context
Remediation Steps
Protection and Remediation
Defense: Group Policy Controls
Disable Debug Port:
Software\Policies\Google\Chrome
RemoteDebuggingAllowed = 0
Defense: Extension Whitelisting
Software\Policies\Google\Chrome\ExtensionInstallAllowlist
Defense: Endpoint Monitoring
Monitor Chrome User Data directory access.
If Compromise Suspected
- Check for --remote-debugging-port usage
- Review installed extensions
- Audit Login Data access
- Change all stored passwords
- Check for injected DLLs
- Review browser history and downloads
Investigation Checklist
Investigation Checklist
- Verify chrome.exe path is legitimate
- Check command line for debug port flags
- Review child processes for shells
- Audit installed extensions
- Check for Login Data file access
- Review network connections
- Examine for headless operation
- Validate process signature
MITRE ATT&CK Techniques
Last verified: January 18, 2026