KQL Search

Query Details

HomeAI ToolsDevice Query

Suspicious Explorer Child Process

Query

# Suspicious Explorer Child Process

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1059 | Command and Scripting Interpreter | https://attack.mitre.org/techniques/T1059/ |

#### Description
This detection detects when explorer has suspicious child process and the commandline contains suspicious parameters, this child process can execute/install commands and is often used to install malware on systems.

Adjust the list of browsers to your environment.

#### Risk
A potentially malicious command has been executed and may have installed malicious software.

#### References
- https://mrd0x.com/filefix-clickfix-alternative/
- 

## Defender XDR
```KQL
let Parameters = dynamic(['http', 'https', 'Encoded', 'EncodedCommand', '-e', '-eC', '-enc', "-w", "://"]);
let SuspiciousChildProcesses = dynamic(['cmd.exe', 'powershell.exe', 'bash.exe', 'csscript.exe', 'mshta.exe', 'msiexec.exe', 'rundll32.exe']);
DeviceProcessEvents
| where InitiatingProcessFileName =~ "explorer.exe" or InitiatingProcessVersionInfoOriginalFileName =~ "explorer.exe"
| where FileName in~ (SuspiciousChildProcesses) or ProcessVersionInfoOriginalFileName in~ (SuspiciousChildProcesses)
| where ProcessCommandLine has_any (Parameters)
| project-reorder Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessCommandLine, AccountUpn, ProcessVersionInfoOriginalFileName

```

## Sentinel
```KQL
let Parameters = dynamic(['http', 'https', 'Encoded', 'EncodedCommand', '-e', '-eC', '-enc', "-w", "://"]);
let SuspiciousChildProcesses = dynamic(['cmd.exe', 'powershell.exe', 'bash.exe', 'csscript.exe', 'mshta.exe', 'msiexec.exe', 'rundll32.exe']);
DeviceProcessEvents
| where InitiatingProcessFileName =~ "explorer.exe" or InitiatingProcessVersionInfoOriginalFileName =~ "explorer.exe"
| where FileName in~ (SuspiciousChildProcesses) or ProcessVersionInfoOriginalFileName in~ (SuspiciousChildProcesses)
| where ProcessCommandLine has_any (Parameters)
| project-reorder TimeGenerated, DeviceName, ProcessCommandLine, InitiatingProcessCommandLine, AccountUpn, ProcessVersionInfoOriginalFileName
```

Explanation

This query is designed to detect potentially malicious activity on a computer system by monitoring processes initiated by Windows Explorer (explorer.exe). It specifically looks for suspicious child processes that are commonly used to execute or install commands, which could indicate malware activity.

Here's a simple breakdown of what the query does:

  1. Suspicious Child Processes: The query identifies child processes of explorer.exe that are known to be used for executing scripts or commands. These include cmd.exe, powershell.exe, bash.exe, and others.

  2. Suspicious Parameters: It checks if the command line of these child processes contains certain suspicious parameters, such as http, https, Encoded, -e, -enc, and others. These parameters are often used in malicious scripts or commands.

  3. Filtering and Output: The query filters the events to find matches and then organizes the output to show the timestamp, device name, command line of the process, command line of the initiating process, user account, and the original file name of the process.

The goal of this query is to help security teams identify and investigate potentially harmful activities that could lead to malware installation or other security breaches. It is important to adjust the list of browsers or processes according to the specific environment to reduce false positives.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: July 4, 2025

Tables

DeviceProcessEvents

Keywords

DeviceProcessAccountCommandLine

Operators

letdynamic=~orin~has_anyproject-reorder

Actions