2024-05-15 // Dylan Evans
Suspicious Drive-by Shell Execution via Browser Process
Defender XDRDetects malicious command shell execution (cmd.exe or PowerShell) spawned by common browser processes, followed by suspicious network activity.
Suspicious Drive-by Shell Execution via Browser Process
Overview
This detection identifies potential malicious activity where a browser process spawns a command shell (cmd.exe or PowerShell) and then initiates suspicious network connections, which could indicate a drive-by download attack. The correlation between process execution and network events helps isolate lateral movement or persistence vectors tied to browser-based exploitation.
Query
// detect command shell execution from popular browser executables
let browserProcesses = dynamic(["chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe"]); //expand on this with additional executable names if required
let shellProcesses = dynamic(["cmd.exe", "powershell.exe"]);
// Detecting shell processes spawned
let browserSpawningShell = DeviceProcessEvents
| where InitiatingProcessFileName in (browserProcesses) and FileName in (shellProcesses)
| project BrowserProcessId = InitiatingProcessId, ShellProcessId = ProcessId, DeviceId, TimeGenerated;
// Detecting network activity from the shell
let shellNetworkActivity = DeviceNetworkEvents
| where InitiatingProcessId in ((browserSpawningShell | project ShellProcessId))
| project ShellProcessId = InitiatingProcessId, RemoteUrl, TimeGenerated;
// Correlate all the events
browserSpawningShell
| join kind=inner (shellNetworkActivity) on ShellProcessId
| project TimeGenerated, DeviceId, BrowserProcessId, ShellProcessId, RemoteUrl
Logic Explanation
The query first identifies browser processes (chrome.exe, firefox.exe, etc.) that spawn shell commands (cmd.exe/powershell.exe). It then joins this with network events originating from those spawned shells to detect suspicious remote URLs. The join ensures only correlated events (same ShellProcessId) are included, filtering for potential drive-by download activity.
Tuning Notes
False positives may occur if legitimate browser processes legitimately call shell commands (e.g., admin tasks). Consider whitelisting trusted domains or adjusting the
RemoteUrlfilter.- Suggestion: Add a
where RemoteUrl !contains("trusted-domain.com")to refine suspicious URLs.
- Suggestion: Add a
Browser process exclusions: Some browsers run as services (
msedge.exe,iexplore.exe) that may not spawn shells. Exclude service-related processes by adding:| where ParentProcessName != "svchost.exe".
References
- Microsoft Defender XDR: Browser-Based Attacks
- MITRE ATT&CK: T1059.003 (Command-Line Interface) and T1071 (Process Injection).