Detect CVE-2025-14174: Google Chromium Out of Bounds Memory Access Exploitation in Microsoft Sentinel
Detects exploitation of CVE-2025-14174, an out-of-bounds memory access vulnerability in Google Chromium. This vulnerability is actively exploited in the wild (CISA KEV) and can allow attackers to execute arbitrary code or escape the browser sandbox via a crafted web page. Detection focuses on abnormal Chromium process behavior including child process spawning, memory anomalies, and post-exploitation indicators.
MITRE ATT&CK
KQL Detection Query
let chromiumProcesses = dynamic(["chrome.exe", "msedge.exe", "brave.exe", "chromium.exe"]);
let suspiciousChildProcs = dynamic(["cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe"]);
DeviceProcessEvents
| where TimeGenerated > ago(7d)
| where InitiatingProcessFileName has_any (chromiumProcesses)
| where FileName has_any (suspiciousChildProcs)
| where InitiatingProcessParentFileName !has "explorer.exe" or isempty(InitiatingProcessParentFileName)
| project TimeGenerated, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, InitiatingProcessId, ProcessId
| join kind=leftouter (
DeviceNetworkEvents
| where TimeGenerated > ago(7d)
| where InitiatingProcessFileName has_any (chromiumProcesses)
| where RemotePort in (4444, 1337, 8080, 9001, 31337)
| project TimeGenerated, DeviceName, InitiatingProcessId, RemoteIP, RemotePort, RemoteUrl
) on DeviceName, $left.InitiatingProcessId == $right.InitiatingProcessId
| extend RiskScore = case(
FileName =~ "powershell.exe" and ProcessCommandLine has_any ("-enc", "-EncodedCommand", "IEX", "Invoke-Expression"), 90,
FileName =~ "cmd.exe" and ProcessCommandLine has "/c", 70,
isnotempty(RemoteIP), 80,
50
)
| where RiskScore >= 50
| order by RiskScore descDetects Chromium browser processes spawning suspicious child processes that may indicate exploitation of CVE-2025-14174. Correlates with outbound network connections on known C2 ports from Chromium renderer processes.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate browser automation tools (Selenium, Playwright) that spawn command-line processes
- Enterprise browser management solutions that invoke scripts via browser context
- Developer environments where Chrome extensions legitimately invoke native messaging hosts
- IT admin tasks executed via browser-based remote management consoles
Other platforms for CVE-2025-14174
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Chromium Renderer Spawning CMD Shell (Simulated)
Expected signal: Process creation event showing chrome.exe as parent of cmd.exe; file write event to C:\Temp\chromium_oob_test.txt
- Test 2Chrome Spawning PowerShell with Encoded Command
Expected signal: Process creation event with chrome.exe parent, powershell.exe child with -EncodedCommand argument visible in command line
- Test 3Linux Chromium Spawning Shell Process
Expected signal: Process creation audit log (auditd or Sysdig) showing chromium-browser as parent of bash process; file write to /tmp/
- Test 4Browser Process Network Connection to C2 Port (Simulated)
Expected signal: Network connection event from chrome.exe to 127.0.0.1:4444; correlated with child process spawn event
Unlock Pro Content
Get the full detection package for CVE-2025-14174 including response playbook, investigation guide, and atomic red team tests.