CVE-2025-13223 Microsoft Sentinel · KQL

Detect Google Chromium V8 Type Confusion Exploitation (CVE-2025-13223) in Microsoft Sentinel

Detects exploitation attempts targeting CVE-2025-13223, a type confusion vulnerability (CWE-843) in Google Chromium's V8 JavaScript engine. This KEV-listed vulnerability allows remote attackers to execute arbitrary code via a crafted HTML page. Exploitation typically involves a malicious web page triggering memory corruption through confused object type handling in V8, leading to sandbox escape or remote code execution within the browser process.

MITRE ATT&CK

Tactic
Initial Access Execution Defense Evasion

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let suspiciousChromeChildren = DeviceProcessEvents
| where FileName in~ ("chrome.exe", "msedge.exe", "brave.exe")
| where InitiatingProcessFileName in~ ("chrome.exe", "msedge.exe", "brave.exe")
| where FileName in~ ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe", "wmic.exe", "msiexec.exe")
| project TimeGenerated, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, InitiatingProcessId, ProcessId;
let crashDumps = DeviceFileEvents
| where FolderPath has_any ("Crashpad", "CrashDumps", "crash-reports")
| where FileName endswith ".dmp" or FileName endswith ".crash"
| where InitiatingProcessFileName in~ ("chrome.exe", "msedge.exe", "brave.exe")
| project TimeGenerated, DeviceName, AccountName, FolderPath, FileName, InitiatingProcessFileName;
let networkAfterBrowser = DeviceNetworkEvents
| where InitiatingProcessFileName in~ ("cmd.exe", "powershell.exe", "rundll32.exe", "mshta.exe")
| where InitiatingProcessParentFileName in~ ("chrome.exe", "msedge.exe", "brave.exe")
| project TimeGenerated, DeviceName, RemoteIP, RemotePort, RemoteUrl, InitiatingProcessFileName, InitiatingProcessCommandLine;
union suspiciousChromeChildren, crashDumps, networkAfterBrowser
| sort by TimeGenerated desc
critical severity medium confidence

Detects suspicious child process spawning from Chromium-based browsers (indicative of V8 type confusion exploitation leading to sandbox escape), browser crash dump generation, and anomalous network activity from processes spawned by browser children. Covers CVE-2025-13223 post-exploitation telemetry.

Data Sources

Microsoft Defender for EndpointMicrosoft Sentinel DeviceProcessEventsDeviceFileEventsDeviceNetworkEvents

Required Tables

DeviceProcessEventsDeviceFileEventsDeviceNetworkEvents

False Positives & Tuning

  • Legitimate browser automation or test frameworks (Selenium, Playwright) that spawn command interpreters from browser processes
  • Developer tools and debugging sessions where chrome.exe spawns child processes intentionally
  • Enterprise software that embeds Chromium (Electron apps) and spawns shell processes as part of normal operation
  • Crash reporting tools that generate .dmp files during legitimate browser crashes unrelated to exploitation

Other platforms for CVE-2025-13223

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate V8 Sandbox Escape - Chrome Spawning cmd.exe

    Expected signal: Sysmon EventID 1 (ProcessCreate) with ParentImage matching chrome.exe and Image matching cmd.exe; DeviceProcessEvents in MDE showing FileName=cmd.exe with InitiatingProcessFileName=chrome.exe

  2. Test 2Browser Process Network Beacon Simulation Post-Exploitation

    Expected signal: Sysmon EventID 3 (NetworkConnect) with Image=powershell.exe, ParentImage=chrome.exe (or powershell spawned in context of test), DestinationIp=192.0.2.1, DestinationPort=4444; DeviceNetworkEvents with InitiatingProcessFileName=powershell.exe

  3. Test 3Chrome Crash Dump Generation - Exploitation Indicator Simulation

    Expected signal: Sysmon EventID 11 (FileCreate) events for each .dmp file creation in the Crashpad reports directory; DeviceFileEvents with FileName ending in .dmp and FolderPath containing Crashpad

  4. Test 4Linux - Chromium Renderer Child Process Spawn Simulation

    Expected signal: Linux audit log (auditd) or Sysdig/Falco events showing bash or sh spawned with ppid matching chromium-browser process; EDR telemetry (CrowdStrike Falcon for Linux, SentinelOne) recording process lineage

Last updated: 2026-06-19 Research depth: standard
References (2)

Unlock Pro Content

Get the full detection package for CVE-2025-13223 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0005Defense Evasion

Related Techniques

T1203Exploitation for Client ExecutionT1059.001PowerShellT1547.001Registry Run Keys / Startup Folder

Same Tactic: Initial Access

Popular Detections