KQL Search

Query Details

HomeAI ToolsDevice Query

Suspicious Browser Child Process

Query

# Suspicious Browser Child Process

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1059 | Command and Scripting Interpreter | https://attack.mitre.org/techniques/T1059/ |

#### Description
This detection detects when a browser has a suspicious child process, this child process can execute/install commands and is often used to install malware on systems.

Adjust the list of browsers to your environment.

#### Risk
A potentially malicious command has been executed and may have installed malicious software.

#### References
- https://mrd0x.com/filefix-clickfix-alternative/
- 

## Defender XDR
```KQL
let Browsers = dynamic(['Chrome.exe', 'Firefox.exe', 'msedge.exe', 'Brave.exe']);
let SuspiciousChildProcesses = dynamic(['cmd.exe', 'powershell.exe', 'bash.exe', 'csscript.exe', 'mshta.exe', 'msiexec.exe', 'rundll32.exe']);
DeviceProcessEvents
| where InitiatingProcessFileName in~ (Browsers)
| where FileName in~ (SuspiciousChildProcesses) or ProcessVersionInfoOriginalFileName in~ (SuspiciousChildProcesses)
| project-reorder  Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessCommandLine, AccountUpn, ProcessVersionInfoOriginalFileName

```

## Sentinel
```KQL
let Browsers = dynamic(['Chrome.exe', 'Firefox.exe', 'msedge.exe', 'Brave.exe']);
let SuspiciousChildProcesses = dynamic(['cmd.exe', 'powershell.exe', 'bash.exe', 'csscript.exe', 'mshta.exe', 'msiexec.exe', 'rundll32.exe']);
DeviceProcessEvents
| where InitiatingProcessFileName in~ (Browsers)
| where FileName in~ (SuspiciousChildProcesses) or ProcessVersionInfoOriginalFileName in~ (SuspiciousChildProcesses)
| project-reorder  TimeGenerated, DeviceName, ProcessCommandLine, InitiatingProcessCommandLine, AccountUpn, ProcessVersionInfoOriginalFileName
```

Explanation

This query is designed to detect potentially malicious activity on a computer by identifying suspicious processes that are started by web browsers. Here's a simple breakdown of what the query does:

  1. Purpose: The query aims to find instances where a web browser (like Chrome, Firefox, Edge, or Brave) starts a child process that is considered suspicious. Such processes could be used to execute commands or install malware.

  2. Technique: It relates to the MITRE ATT&CK technique T1059, which involves using command and scripting interpreters to execute malicious commands.

  3. How it Works:

    • The query defines two lists:
      • Browsers: A list of common web browser executable names.
      • SuspiciousChildProcesses: A list of executable names that are often used to run commands or scripts (e.g., cmd.exe, powershell.exe).
    • It searches through device process events to find cases where a process initiated by a browser matches one of the suspicious child process names.
    • The query then selects and orders specific details about these events, such as the timestamp, device name, command lines, user account, and original file name of the process.

  4. Output: The result will show details of any suspicious child processes started by browsers, which could indicate malicious activity.

  5. Risk: If such processes are found, it suggests that a potentially harmful command has been executed, possibly leading to malware installation.

  6. Environment Adjustment: The list of browsers can be customized to fit the specific environment being monitored.

This query is useful for security analysts to monitor and investigate suspicious activities that might compromise system security.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: July 2, 2025

Tables

DeviceProcessEvents

Keywords

DeviceProcessEvents

Operators

letdynamicin~orproject-reorderwhere

Actions