← ~/DETECTIONS

2024-05-15 // Dylan Evans

Suspicious Drive-by Shell Execution via Browser Process

Defender XDR

Detects malicious command shell execution (cmd.exe or PowerShell) spawned by common browser processes, followed by suspicious network activity.

drive-by-downloadbrowser-exploitationcommand-shell

Suspicious Drive-by Shell Execution via Browser Process

Overview

This detection identifies potential malicious activity where a browser process spawns a command shell (cmd.exe or PowerShell) and then initiates suspicious network connections, which could indicate a drive-by download attack. The correlation between process execution and network events helps isolate lateral movement or persistence vectors tied to browser-based exploitation.

Query

// detect command shell execution from popular browser executables

let browserProcesses = dynamic(["chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe"]); //expand on this with additional executable names if required
let shellProcesses = dynamic(["cmd.exe", "powershell.exe"]);
// Detecting shell processes spawned
let browserSpawningShell = DeviceProcessEvents
| where InitiatingProcessFileName in (browserProcesses) and FileName in (shellProcesses)
| project BrowserProcessId = InitiatingProcessId, ShellProcessId = ProcessId, DeviceId, TimeGenerated;
// Detecting network activity from the shell
let shellNetworkActivity = DeviceNetworkEvents
| where InitiatingProcessId in ((browserSpawningShell | project ShellProcessId))
| project ShellProcessId = InitiatingProcessId, RemoteUrl, TimeGenerated;
// Correlate all the events
browserSpawningShell
| join kind=inner (shellNetworkActivity) on ShellProcessId
| project TimeGenerated, DeviceId, BrowserProcessId, ShellProcessId, RemoteUrl

Logic Explanation

The query first identifies browser processes (chrome.exe, firefox.exe, etc.) that spawn shell commands (cmd.exe/powershell.exe). It then joins this with network events originating from those spawned shells to detect suspicious remote URLs. The join ensures only correlated events (same ShellProcessId) are included, filtering for potential drive-by download activity.

Tuning Notes

  • False positives may occur if legitimate browser processes legitimately call shell commands (e.g., admin tasks). Consider whitelisting trusted domains or adjusting the RemoteUrl filter.

    • Suggestion: Add a where RemoteUrl !contains("trusted-domain.com") to refine suspicious URLs.
  • Browser process exclusions: Some browsers run as services (msedge.exe, iexplore.exe) that may not spawn shells. Exclude service-related processes by adding:

    • | where ParentProcessName != "svchost.exe".

References