IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Suspicious Browser Child Process
editSuspicious Browser Child Process
editIdentifies the execution of a suspicious browser child process. Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user’s web browser is typically targeted for exploitation.
Rule type: eql
Rule indices:
- logs-endpoint.events.*
Severity: high
Risk score: 73
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Endpoint
- OS: macOS
- Use Case: Threat Detection
- Tactic: Initial Access
- Tactic: Execution
- Data Source: Elastic Defend
Version: 105
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
editprocess where host.os.type == "macos" and event.type in ("start", "process_started") and process.parent.name : ("Google Chrome", "Google Chrome Helper*", "firefox", "Opera", "Safari", "com.apple.WebKit.WebContent", "Microsoft Edge") and process.name : ("sh", "bash", "dash", "ksh", "tcsh", "zsh", "curl", "wget", "python*", "perl*", "php*", "osascript", "pwsh") and process.command_line != null and not process.command_line : "*/Library/Application Support/Microsoft/MAU*/Microsoft AutoUpdate.app/Contents/MacOS/msupdate*" and not process.args : ( "hw.model", "IOPlatformExpertDevice", "/Volumes/Google Chrome/Google Chrome.app/Contents/Frameworks/*/Resources/install.sh", "--defaults-torrc", "*Chrome.app", "Framework.framework/Versions/*/Resources/keystone_promote_preflight.sh", "/Users/*/Library/Application Support/Google/Chrome/recovery/*/ChromeRecovery", "$DISPLAY", "*GIO_LAUNCHED_DESKTOP_FILE_PID=$$*", "/opt/homebrew/*", "/usr/local/*brew*" )
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Execution
- ID: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
-
Technique:
- Name: Exploitation for Client Execution
- ID: T1203
- Reference URL: https://attack.mitre.org/techniques/T1203/
-
Tactic:
- Name: Initial Access
- ID: TA0001
- Reference URL: https://attack.mitre.org/tactics/TA0001/
-
Technique:
- Name: Drive-by Compromise
- ID: T1189
- Reference URL: https://attack.mitre.org/techniques/T1189/