T1583.008 Malvertising Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// Detect browsers spawning suspicious child processes — primary indicator of malvertising drive-by execution
let Browsers = dynamic(["chrome.exe", "msedge.exe", "firefox.exe", "iexplore.exe", "opera.exe", "brave.exe", "safari.exe"]);
let SuspiciousChildren = dynamic(["powershell.exe", "pwsh.exe", "cmd.exe", "mshta.exe", "wscript.exe", "cscript.exe", "rundll32.exe", "regsvr32.exe", "msiexec.exe", "certutil.exe", "bitsadmin.exe"]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ (Browsers)
| where FileName in~ (SuspiciousChildren)
| extend DownloadPath = iff(FolderPath has_any ("\\Downloads\\", "\\Temp\\", "\\AppData\\Local\\Temp\\"), 1, 0)
| extend NetworkRef = iff(ProcessCommandLine has_any ("http://", "https://", "ftp://"), 1, 0)
| extend EncodedOrDL = iff(ProcessCommandLine has_any ("-enc", "-EncodedCommand", "iex", "DownloadString", "DownloadFile", "WebClient", "Invoke-WebRequest"), 1, 0)
| extend HiddenOrSilent = iff(ProcessCommandLine has_any ("-WindowStyle Hidden", "-w hidden", "/quiet", "/q ", "/silent", "/verysilent"), 1, 0)
| extend SuspicionScore = DownloadPath + NetworkRef + EncodedOrDL + HiddenOrSilent + 1
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         FolderPath, DownloadPath, NetworkRef, EncodedOrDL, HiddenOrSilent, SuspicionScore,
         InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by SuspicionScore desc, Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Browser-based enterprise software portals that use ClickOnce deployment, legitimately spawning msiexec.exe or setup.exe from the browser for internal application installation
IT administrators downloading and immediately running legitimate signed tools from vendor sites (e.g., Sysinternals, vendor agent MSIs, driver installers)
Software update helpers where the browser opens a downloaded updater that spawns cmd.exe or PowerShell as part of a legitimate update workflow
Developer environments where VS Code, IntelliJ, or similar IDEs integrate browser-based workflows that spawn terminal processes
Browser PDF plugins or media extensions that spawn helper processes from the user's Downloads or Temp folder during document rendering

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (ParentImage="*\\chrome.exe" OR ParentImage="*\\msedge.exe" OR ParentImage="*\\firefox.exe" OR
   ParentImage="*\\iexplore.exe" OR ParentImage="*\\opera.exe" OR ParentImage="*\\brave.exe")
  (Image="*\\powershell.exe" OR Image="*\\pwsh.exe" OR Image="*\\cmd.exe" OR
   Image="*\\mshta.exe" OR Image="*\\wscript.exe" OR Image="*\\cscript.exe" OR
   Image="*\\rundll32.exe" OR Image="*\\regsvr32.exe" OR Image="*\\msiexec.exe" OR
   Image="*\\certutil.exe" OR Image="*\\bitsadmin.exe")
| eval DownloadPath=if(match(CurrentDirectory, "(\\\\Downloads\\\\|\\\\Temp\\\\|AppData\\\\Local\\\\Temp)"), 1, 0)
| eval NetworkRef=if(match(CommandLine, "(http://|https://|ftp://)"), 1, 0)
| eval EncodedOrDL=if(match(lower(CommandLine), "(-enc|-encodedcommand|iex|downloadstring|downloadfile|webclient|invoke-webrequest)"), 1, 0)
| eval HiddenOrSilent=if(match(lower(CommandLine), "(-windowstyle\s+hidden|-w\s+hidden|/quiet|/silent|/verysilent)"), 1, 0)
| eval SuspicionScore=DownloadPath + NetworkRef + EncodedOrDL + HiddenOrSilent + 1
| table _time, host, User, Image, CommandLine, CurrentDirectory, ParentImage, ParentCommandLine,
        DownloadPath, NetworkRef, EncodedOrDL, HiddenOrSilent, SuspicionScore
| sort - SuspicionScore, - _time

high severity medium confidence

Data Sources

Process: Process Creation Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Browser-based enterprise software portals that use ClickOnce deployment, legitimately spawning msiexec.exe or setup.exe from the browser for internal application installation
IT administrators downloading and immediately running legitimate signed tools from vendor sites (e.g., Sysinternals, vendor agent MSIs, driver installers)
Software update helpers where the browser opens a downloaded updater that spawns cmd.exe or PowerShell as part of a legitimate update workflow
Developer environments where VS Code, IntelliJ, or similar IDEs integrate browser-based workflows that spawn terminal processes
Browser PDF plugins or media extensions that spawn helper processes from the user's Downloads or Temp folder during document rendering

Elastic Security (EQL)

eql

process where event.type == "start" and
  process.parent.name in~ ("chrome.exe", "msedge.exe", "firefox.exe", "iexplore.exe", "opera.exe", "brave.exe", "safari.exe") and
  process.name in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "mshta.exe", "wscript.exe", "cscript.exe", "rundll32.exe", "regsvr32.exe", "msiexec.exe", "certutil.exe", "bitsadmin.exe") and
  (
    process.working_directory like~ "*\\Downloads\\*" or
    process.working_directory like~ "*\\Temp\\*" or
    process.working_directory like~ "*\\AppData\\Local\\Temp\\*" or
    process.args like~ "*http://*" or
    process.args like~ "*https://*" or
    process.args like~ "*-enc*" or
    process.args like~ "*-EncodedCommand*" or
    process.args like~ "*DownloadString*" or
    process.args like~ "*DownloadFile*" or
    process.args like~ "*WebClient*" or
    process.args like~ "*Invoke-WebRequest*" or
    process.args like~ "*iex*" or
    process.args like~ "*-WindowStyle Hidden*" or
    process.args like~ "*-w hidden*" or
    process.args like~ "*/quiet*" or
    process.args like~ "*/silent*" or
    process.args like~ "*/verysilent*"
  )

high severity high confidence

Data Sources

Endpoint Windows Sysmon Elastic Endpoint Security

Required Tables

logs-endpoint.events.process-* winlogbeat-*

False Positives

Enterprise software deployment tools that launch Chrome/Edge to authenticate and then invoke msiexec or powershell as part of a legitimate SSO or MDM enrollment workflow.
Developer IDEs (VS Code, JetBrains) that embed Chromium and spawn cmd.exe or powershell.exe for integrated terminal sessions.
Automated Selenium/Playwright test runners that control a browser and invoke helper scripts, triggering the browser→child-process pattern without malicious intent.

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  "username",
  "sourceip",
  QIDNAME(qid) AS event_name,
  "Process Name" AS child_process,
  "Command" AS command_line,
  "Parent Process Name" AS parent_process,
  CASE
    WHEN ("Command" ILIKE '%\\Downloads\\%' OR "Command" ILIKE '%\\Temp\\%' OR "Command" ILIKE '%AppData\\Local\\Temp%') THEN 1 ELSE 0
  END +
  CASE
    WHEN ("Command" ILIKE '%http://%' OR "Command" ILIKE '%https://%' OR "Command" ILIKE '%ftp://%') THEN 1 ELSE 0
  END +
  CASE
    WHEN (LOWER("Command") ILIKE '%-enc%' OR LOWER("Command") ILIKE '%-encodedcommand%' OR
         LOWER("Command") ILIKE '%downloadstring%' OR LOWER("Command") ILIKE '%downloadfile%' OR
         LOWER("Command") ILIKE '%webclient%' OR LOWER("Command") ILIKE '%invoke-webrequest%' OR
         LOWER("Command") ILIKE '%iex(%') THEN 1 ELSE 0
  END +
  CASE
    WHEN (LOWER("Command") ILIKE '%-windowstyle hidden%' OR LOWER("Command") ILIKE '%-w hidden%' OR
         LOWER("Command") ILIKE '%/quiet%' OR LOWER("Command") ILIKE '%/silent%' OR
         LOWER("Command") ILIKE '%/verysilent%') THEN 1 ELSE 0
  END + 1 AS suspicion_score
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 119, 382)
  AND ("Event ID" = '1' OR "Event ID" = '4688')
  AND (
    LOWER("Parent Process Name") ILIKE '%chrome.exe' OR
    LOWER("Parent Process Name") ILIKE '%msedge.exe' OR
    LOWER("Parent Process Name") ILIKE '%firefox.exe' OR
    LOWER("Parent Process Name") ILIKE '%iexplore.exe' OR
    LOWER("Parent Process Name") ILIKE '%opera.exe' OR
    LOWER("Parent Process Name") ILIKE '%brave.exe'
  )
  AND (
    LOWER("Process Name") ILIKE '%powershell.exe' OR
    LOWER("Process Name") ILIKE '%pwsh.exe' OR
    LOWER("Process Name") ILIKE '%cmd.exe' OR
    LOWER("Process Name") ILIKE '%mshta.exe' OR
    LOWER("Process Name") ILIKE '%wscript.exe' OR
    LOWER("Process Name") ILIKE '%cscript.exe' OR
    LOWER("Process Name") ILIKE '%rundll32.exe' OR
    LOWER("Process Name") ILIKE '%regsvr32.exe' OR
    LOWER("Process Name") ILIKE '%msiexec.exe' OR
    LOWER("Process Name") ILIKE '%certutil.exe' OR
    LOWER("Process Name") ILIKE '%bitsadmin.exe'
  )
  AND LAST(devicetime) > NOW() - 86400000
ORDER BY suspicion_score DESC, devicetime DESC

high severity medium confidence

Data Sources

Windows Sysmon (QRadar DSM) Microsoft Windows Security Event Log

Required Tables

events

False Positives

Corporate patch management solutions that trigger browser-based authentication portals and subsequently call msiexec.exe or cmd.exe to apply updates silently (/quiet).
Internal web applications that launch helper executables via browser protocol handlers (e.g., custom URI schemes), producing a browser→child-process chain with no malicious intent.
Security awareness training platforms that simulate phishing/malvertising behavior in a controlled sandbox, generating real process-create events with matching parent-child patterns.

Sumo Logic CSE

sql

_sourceCategory="os/windows/sysmon" OR _sourceCategory="os/windows/security"
| where EventID = "1" OR EventID = "4688"
| parse regex field=_raw "(?i)ParentImage[=:]\s*(?:[^\"\s]*\\\\)?(?P<parent_image>[^\\\"\s\r\n]+)" nodrop
| parse regex field=_raw "(?i)(?:Image|NewProcessName)[=:]\s*(?:[^\"\s]*\\\\)?(?P<child_image>[^\\\"\s\r\n]+)" nodrop
| parse regex field=_raw "(?i)(?:CommandLine|ProcessCommandLine)[=:]\s*(?P<command_line>[^\r\n]+)" nodrop
| parse regex field=_raw "(?i)(?:CurrentDirectory|WorkingDirectory)[=:]\s*(?P<working_dir>[^\r\n]+)" nodrop
| where (parent_image matches /(?i)(chrome|msedge|firefox|iexplore|opera|brave)\.exe/)
| where (child_image matches /(?i)(powershell|pwsh|cmd|mshta|wscript|cscript|rundll32|regsvr32|msiexec|certutil|bitsadmin)\.exe/)
| eval DownloadPath = if (working_dir matches /(?i)(\\Downloads\\|\\Temp\\|AppData\\Local\\Temp)/, 1, 0)
| eval NetworkRef = if (command_line matches /(?i)(http:\/\/|https:\/\/|ftp:\/\/)/, 1, 0)
| eval EncodedOrDL = if (command_line matches /(?i)(-enc|-encodedcommand|\biex\b|downloadstring|downloadfile|webclient|invoke-webrequest)/, 1, 0)
| eval HiddenOrSilent = if (command_line matches /(?i)(-windowstyle\s+hidden|-w\s+hidden|\/quiet|\/silent|\/verysilent)/, 1, 0)
| eval SuspicionScore = DownloadPath + NetworkRef + EncodedOrDL + HiddenOrSilent + 1
| fields _messageTime, _sourceHost, parent_image, child_image, command_line, working_dir, DownloadPath, NetworkRef, EncodedOrDL, HiddenOrSilent, SuspicionScore
| sort by SuspicionScore desc, _messageTime desc

high severity medium confidence

Data Sources

Windows Sysmon Windows Security Event Log

Required Tables

_sourceCategory=os/windows/sysmon _sourceCategory=os/windows/security

False Positives

Browser-based single sign-on (SSO) flows that trigger Windows installer processes, particularly when enterprise software is provisioned via an internal web portal that calls msiexec.exe silently.
Automated browser testing frameworks (Selenium Grid, Playwright on Windows CI agents) where the test runner parent is a browser process and helper scripts are cmd.exe or powershell.exe.
Built-in browser download-and-run prompts for legitimate software (e.g., Zoom, Teams client updates) where the browser directly spawns the installer in the Downloads folder.

Google Chronicle / SecOps

yaral

rule malvertising_browser_spawns_suspicious_child {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects malvertising drive-by execution: browsers spawning LOLBin or interpreter child processes with suspicious command-line indicators — encoded commands, download helpers, silent install flags, or network references."
    mitre_attack_tactic = "Resource Development"
    mitre_attack_technique = "T1583.008"
    severity = "HIGH"
    priority = "HIGH"
    created = "2026-04-13"
    version = "1.0"
  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.process.file.full_path = /(?i)(chrome\.exe|msedge\.exe|firefox\.exe|iexplore\.exe|opera\.exe|brave\.exe|safari\.exe)$/
    $e.target.process.file.full_path = /(?i)(powershell\.exe|pwsh\.exe|cmd\.exe|mshta\.exe|wscript\.exe|cscript\.exe|rundll32\.exe|regsvr32\.exe|msiexec\.exe|certutil\.exe|bitsadmin\.exe)$/
    (
      $e.target.process.command_line = /(?i)(\\Downloads\\|\\Temp\\|AppData\\Local\\Temp)/
      or $e.target.process.command_line = /(?i)(http:\/\/|https:\/\/|ftp:\/\/)/
      or $e.target.process.command_line = /(?i)(-enc|-encodedcommand|\biex\b|downloadstring|downloadfile|webclient|invoke-webrequest)/
      or $e.target.process.command_line = /(?i)(-windowstyle\s+hidden|-w\s+hidden|\/quiet|\/silent|\/verysilent)/
    )
  condition:
    $e
}

high severity high confidence

Data Sources

Windows Endpoint (Chronicle Forwarder) Sysmon via Chronicle Ingestion

Required Tables

UDM Events — PROCESS_LAUNCH

False Positives

Browser-integrated enterprise management platforms (e.g., Workspace ONE, Intune web portal) that trigger msiexec.exe or powershell.exe from a browser context during device enrolment, including /quiet flags.
Custom corporate intranet applications that use browser protocol handlers to invoke cmd.exe or powershell.exe scripts stored in the user's AppData directory for local automation tasks.
Web-based developer tooling (e.g., browser IDEs or CI dashboards) that launch local build scripts via the browser, producing a browser→powershell/cmd chain with network and path indicators in the command line.

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| ParentBaseFileName = /(?i)^(chrome|msedge|firefox|iexplore|opera|brave|safari)\.exe$/
| FileName = /(?i)^(powershell|pwsh|cmd|mshta|wscript|cscript|rundll32|regsvr32|msiexec|certutil|bitsadmin)\.exe$/
| DownloadPath := if(CommandLine = /(?i)(\\Downloads\\|\\Temp\\|AppData\\Local\\Temp)/, 1, 0)
| NetworkRef := if(CommandLine = /(?i)(http:\/\/|https:\/\/|ftp:\/\/)/, 1, 0)
| EncodedOrDL := if(CommandLine = /(?i)(-enc|-encodedcommand|\biex\b|downloadstring|downloadfile|webclient|invoke-webrequest)/, 1, 0)
| HiddenOrSilent := if(CommandLine = /(?i)(-windowstyle\s+hidden|-w\s+hidden|\/quiet|\/silent|\/verysilent)/, 1, 0)
| SuspicionScore := DownloadPath + NetworkRef + EncodedOrDL + HiddenOrSilent + 1
| select([@timestamp, ComputerName, UserName, ParentBaseFileName, FileName, CommandLine, DownloadPath, NetworkRef, EncodedOrDL, HiddenOrSilent, SuspicionScore])
| sort(SuspicionScore, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Agent Falcon ProcessRollup2 telemetry

Required Tables

#event_simpleName=ProcessRollup2

False Positives

Falcon-managed hosts running Citrix Workspace or VMware Horizon web clients that present a browser UI and internally spawn msiexec.exe or powershell.exe for plugin or agent updates, including silent-install flags.
Corporate software distribution portals where employees click download links in Edge/Chrome that directly invoke the installer (msiexec.exe /quiet) from the Downloads folder, matching all scored indicators without malicious intent.
Security operations tooling (e.g., Velociraptor web console, Splunk SOAR browser triggers) that invoke powershell.exe or cmd.exe via browser-based action buttons, producing high-scoring events from a trusted workflow.

Malvertising

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Resource Development

Popular Detections