IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Suspicious Browser Child Process
editSuspicious Browser Child Process
editIdentifies the execution of a suspicious browser child process. Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user’s web browser is typically targeted for exploitation.
Rule type: eql
Rule indices:
- logs-endpoint.events.*
Severity: high
Risk score: 73
Runs every: 5 minutes
Searches indices from: now-9m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Host
- macOS
- Threat Detection
- Initial Access
- Execution
Version: 100 (version history)
Added (Elastic Stack release): 7.12.0
Last modified (Elastic Stack release): 8.5.0
Rule authors: Elastic
Rule license: Elastic License v2
Rule query
editprocess where event.type in ("start", "process_started") and
process.parent.name : ("Google Chrome", "Google Chrome Helper*",
"firefox", "Opera", "Safari", "com.apple.WebKit.WebContent",
"Microsoft Edge") and process.name : ("sh", "bash", "dash", "ksh",
"tcsh", "zsh", "curl", "wget", "python*", "perl*", "php*",
"osascript", "pwsh") and process.command_line != null and not
process.command_line : "*/Library/Application
Support/Microsoft/MAU*/Microsoft
AutoUpdate.app/Contents/MacOS/msupdate*" and not process.args :
( "hw.model", "IOPlatformExpertDevice",
"/Volumes/Google Chrome/Google
Chrome.app/Contents/Frameworks/*/Resources/install.sh", "--
defaults-torrc", "*Chrome.app", "Framework.framework/Versi
ons/*/Resources/keystone_promote_preflight.sh",
"/Users/*/Library/Application
Support/Google/Chrome/recovery/*/ChromeRecovery", "$DISPLAY",
"*GIO_LAUNCHED_DESKTOP_FILE_PID=$$*", "/opt/homebrew/*",
"/usr/local/*brew*" )
Threat mapping
editFramework: MITRE ATT&CKTM
-
Tactic:
- Name: Execution
- ID: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
-
Technique:
- Name: Exploitation for Client Execution
- ID: T1203
- Reference URL: https://attack.mitre.org/techniques/T1203/
-
Tactic:
- Name: Initial Access
- ID: TA0001
- Reference URL: https://attack.mitre.org/tactics/TA0001/
-
Technique:
- Name: Drive-by Compromise
- ID: T1189
- Reference URL: https://attack.mitre.org/techniques/T1189/
Rule version history
edit- Version 100 (8.5.0 release)
-
-
Updated query, changed from:
process where event.type in ("start", "process_started") and process.parent.name : ("Google Chrome", "Google Chrome Helper*", "firefox", "Opera", "Safari", "com.apple.WebKit.WebContent", "Microsoft Edge") and process.name : ("sh", "bash", "dash", "ksh", "tcsh", "zsh", "curl", "wget", "python*", "perl*", "php*", "osascript", "pwsh") and process.command_line != null and not process.args : ( "/Library/Application Support/Microsoft/MAU*/Microsoft AutoUpdate.app/Contents/MacOS/msupdate", "hw.model", "IOPlatformExpertDevice", "/Volumes/Google Chrome/Google Chrome.app/Contents/Frameworks/*/Resources/install.sh", "-- defaults-torrc", "Chrome.app", "Framework.framework/Vers ions/*/Resources/keystone_promote_preflight.sh", "/Users/*/Library/Application Support/Google/Chrome/recovery/*/ChromeRecovery", "$DISPLAY", "GIO_LAUNCHED_DESKTOP_FILE_PID=$$" )
-
- Version 2 (8.4.0 release)
-
- Formatting only