T1608.004 Drive-by Target Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let BrowserProcesses = dynamic(["chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe", "brave.exe", "opera.exe", "microsoftedge.exe"]);
let SuspiciousChildProcesses = dynamic(["cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "schtasks.exe", "certutil.exe", "bitsadmin.exe", "msiexec.exe", "wmic.exe", "curl.exe", "pcalua.exe", "msbuild.exe"]);
// Sub-query 1: Browser spawning suspicious child processes — strong exploitation indicator
let BrowserExploitSpawn = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ (BrowserProcesses)
| where FileName in~ (SuspiciousChildProcesses)
| extend RiskScore = case(
    FileName in~ ("powershell.exe", "mshta.exe", "wscript.exe", "cscript.exe"), 3,
    FileName in~ ("rundll32.exe", "regsvr32.exe", "pcalua.exe", "msbuild.exe"), 2,
    FileName in~ ("certutil.exe", "bitsadmin.exe", "schtasks.exe", "wmic.exe", "cmd.exe"), 2,
    1)
| extend DetectionSource = "BrowserSpawnedSuspiciousProcess"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, RiskScore, DetectionSource;
// Sub-query 2: Browser dropping executable content to temp or public directories
let BrowserFileDrop = DeviceFileEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ (BrowserProcesses)
| where ActionType == "FileCreated"
| where FolderPath has_any ("\\AppData\\Local\\Temp\\", "\\Windows\\Temp\\", "\\Users\\Public\\")
| where FileName endswith ".exe" or FileName endswith ".dll"
    or FileName endswith ".hta" or FileName endswith ".vbs"
    or FileName endswith ".ps1" or FileName endswith ".js"
    or FileName endswith ".bat" or FileName endswith ".cmd"
    or FileName endswith ".scr"
| extend RiskScore = case(
    FileName endswith ".exe" or FileName endswith ".dll", 3,
    FileName endswith ".hta" or FileName endswith ".vbs" or FileName endswith ".ps1", 3,
    FileName endswith ".js" or FileName endswith ".bat" or FileName endswith ".cmd" or FileName endswith ".scr", 2,
    1)
| extend DetectionSource = "BrowserDroppedExecutable"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath,
          InitiatingProcessFileName, RiskScore, DetectionSource;
union BrowserExploitSpawn, BrowserFileDrop
| sort by RiskScore desc, Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation File: File Creation Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceFileEvents

False Positives

Browser extensions or plugins that legitimately spawn helper processes — e.g., PDF readers (AcroRd32.exe), video codec installers, accessibility tools launched via browser
Legitimate software update mechanisms triggered through the browser — Chrome or Firefox update pipelines may invoke msiexec.exe or cmd.exe to apply updates
Developer workflows using browser-based IDEs, build tools, or debugging extensions that spawn local script interpreters or Node.js processes
Enterprise protocol handlers (custom URI schemes such as myapp://) that allow browsers to launch registered desktop applications or scripts
Download managers integrated with browsers that save executable files to standard temp directories before user-initiated installation

Splunk

spl

(index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (ParentImage="*\\chrome.exe" OR ParentImage="*\\firefox.exe" OR ParentImage="*\\msedge.exe"
   OR ParentImage="*\\iexplore.exe" OR ParentImage="*\\brave.exe" OR ParentImage="*\\opera.exe"
   OR ParentImage="*\\microsoftedge.exe")
  (Image="*\\cmd.exe" OR Image="*\\powershell.exe" OR Image="*\\wscript.exe"
   OR Image="*\\cscript.exe" OR Image="*\\mshta.exe" OR Image="*\\rundll32.exe"
   OR Image="*\\regsvr32.exe" OR Image="*\\schtasks.exe" OR Image="*\\certutil.exe"
   OR Image="*\\bitsadmin.exe" OR Image="*\\msiexec.exe" OR Image="*\\wmic.exe"
   OR Image="*\\msbuild.exe" OR Image="*\\pcalua.exe"))
OR
(index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
  (Image="*\\chrome.exe" OR Image="*\\firefox.exe" OR Image="*\\msedge.exe"
   OR Image="*\\iexplore.exe" OR Image="*\\brave.exe" OR Image="*\\opera.exe")
  (TargetFilename="*\\Temp\\*.exe" OR TargetFilename="*\\Temp\\*.dll"
   OR TargetFilename="*\\Temp\\*.hta" OR TargetFilename="*\\Temp\\*.vbs"
   OR TargetFilename="*\\Temp\\*.ps1" OR TargetFilename="*\\Temp\\*.js"
   OR TargetFilename="*\\Temp\\*.bat" OR TargetFilename="*\\Temp\\*.scr"
   OR TargetFilename="*\\Users\\Public\\*.exe" OR TargetFilename="*\\Users\\Public\\*.dll"))
| eval DetectionType=case(
    EventCode==1, "BrowserSpawnedProcess",
    EventCode==11, "BrowserDroppedFile",
    "Unknown")
| eval RiskScore=case(
    EventCode==1 AND match(Image, "(?i)(powershell\.exe|mshta\.exe|wscript\.exe|cscript\.exe|msbuild\.exe)"), 3,
    EventCode==1 AND match(Image, "(?i)(rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe|pcalua\.exe)"), 2,
    EventCode==1, 1,
    EventCode==11 AND match(TargetFilename, "(?i)\.(exe|dll|hta|vbs|ps1)$"), 3,
    EventCode==11 AND match(TargetFilename, "(?i)\.(js|bat|cmd|scr)$"), 2,
    1)
| eval ChildOrFile=coalesce(Image, TargetFilename)
| eval BrowserParent=coalesce(ParentImage, Image)
| table _time, host, User, DetectionType, ChildOrFile, CommandLine, ParentImage, ParentCommandLine, TargetFilename, RiskScore
| sort - RiskScore _time

high severity medium confidence

Data Sources

Process: Process Creation File: File Creation Sysmon Event ID 1 Sysmon Event ID 11

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Browser extensions or plugins spawning helper processes for legitimate functionality such as PDF viewers, media players, or accessibility tools
Legitimate browser update pipelines invoking msiexec.exe or cmd.exe to apply browser or extension updates
Developer tool integrations where browser extensions launch local build scripts, Node.js processes, or test runners
Enterprise custom protocol handlers (registered URI schemes) that invoke local desktop applications or batch scripts from browser clicks
Download managers integrated with browsers writing executable installers to the Downloads or Temp directory before user-triggered installation

Elastic Security (EQL)

eql

any where process.name : ("curl", "wget", "powershell.exe", "certutil.exe", "bitsadmin.exe") and (process.command_line : ("*.bin", "*.exe", "*.dll", "*.ps1", "*.bat", "*.vbs", "*.hta") or network.direction : "egress" and destination.port in (80, 443) and process.parent.name : ("winword.exe", "excel.exe", "outlook.exe", "mshta.exe", "wscript.exe", "cscript.exe"))

high severity medium confidence

Data Sources

Elastic Endpoint Security Elastic Agent Network Events

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.network-* logs-endpoint.events.file-*

False Positives

Browser extensions or plugins that legitimately spawn helper processes — e.g., PDF readers (AcroRd32.exe), video codec installers, accessibility tools launched via browser
Legitimate software update mechanisms triggered through the browser — Chrome or Firefox update pipelines may invoke msiexec.exe or cmd.exe to apply updates
Developer workflows using browser-based IDEs, build tools, or debugging extensions that spawn local script interpreters or Node.js processes
Enterprise protocol handlers (custom URI schemes such as myapp://) that allow browsers to launch registered desktop applications or scripts
Download managers integrated with browsers that save executable files to standard temp directories before user-initiated installation

IBM QRadar (AQL)

sql

SELECT sourceip as "SourceIP", destinationip as "DestinationIP", UTF8(payload) as "URL", username as "Username", devicetime as "EventTime", CASE WHEN UTF8(payload) ILIKE '%.exe%' OR UTF8(payload) ILIKE '%.dll%' OR UTF8(payload) ILIKE '%.bin%' THEN 80 WHEN UTF8(payload) ILIKE '%paste%' OR UTF8(payload) ILIKE '%transfer.sh%' OR UTF8(payload) ILIKE '%gofile%' THEN 75 WHEN UTF8(payload) ILIKE '%certutil%' OR UTF8(payload) ILIKE '%bitsadmin%' THEN 70 ELSE 50 END as "RiskScore" FROM events WHERE LOGSOURCETYPENAME(devicetype) IN ('Proxy', 'Windows', 'Zscaler Internet Access') AND (eventid = 4688 OR destinationport IN (80, 443)) ORDER BY "RiskScore" DESC LAST 24 HOURS

high severity medium confidence

Data Sources

Windows Security Event Log Proxy Zscaler Internet Access

Required Tables

events

False Positives

Browser extensions or plugins that legitimately spawn helper processes — e.g., PDF readers (AcroRd32.exe), video codec installers, accessibility tools launched via browser
Legitimate software update mechanisms triggered through the browser — Chrome or Firefox update pipelines may invoke msiexec.exe or cmd.exe to apply updates
Developer workflows using browser-based IDEs, build tools, or debugging extensions that spawn local script interpreters or Node.js processes
Enterprise protocol handlers (custom URI schemes such as myapp://) that allow browsers to launch registered desktop applications or scripts
Download managers integrated with browsers that save executable files to standard temp directories before user-initiated installation

Sumo Logic CSE

sql

_sourceCategory=endpoint/windows OR _sourceCategory=proxy/access | json auto | where (process_name in ("curl.exe", "wget.exe", "certutil.exe", "bitsadmin.exe", "powershell.exe") and (command_line matches "*.exe" or command_line matches "*.dll" or command_line matches "*.bin")) or (url matches "*transfer.sh*" or url matches "*paste.ee*" or url matches "*gofile.io*") | if(matches(process_name, "*certutil*") and matches(command_line, "*urlcache*"), "High", if(matches(url, "*transfer.sh*") or matches(url, "*gofile.io*"), "High", "Medium")) as RiskLevel | count by src_ip, process_name, RiskLevel | sort by count desc

high severity medium confidence

Data Sources

Windows Endpoint Events Proxy Access Logs

Required Tables

endpoint/windows proxy/access

False Positives

Browser extensions or plugins that legitimately spawn helper processes — e.g., PDF readers (AcroRd32.exe), video codec installers, accessibility tools launched via browser
Legitimate software update mechanisms triggered through the browser — Chrome or Firefox update pipelines may invoke msiexec.exe or cmd.exe to apply updates
Developer workflows using browser-based IDEs, build tools, or debugging extensions that spawn local script interpreters or Node.js processes
Enterprise protocol handlers (custom URI schemes such as myapp://) that allow browsers to launch registered desktop applications or scripts
Download managers integrated with browsers that save executable files to standard temp directories before user-initiated installation

Google Chronicle / SecOps

yaral

rule detect_stage_capabilities {
  meta:
    author = "Argus"
    description = "Detects staging of capabilities from external infrastructure"
    severity = "HIGH"
    technique = "T1608"
  events:
    $e.metadata.event_type = "NETWORK_HTTP"
    (
      re.regex($e.target.url, `\.(exe|dll|bin|ps1|bat|vbs|hta|sh|elf)($|\?)`) nocase or
      re.regex($e.target.hostname, `transfer\.sh|paste\.ee|gofile\.io|anonfiles|temp\.sh`) nocase
    )
    $e.principal.process.file.full_path != ""
  condition:
    $e
}

high severity medium confidence

Data Sources

Endpoint Telemetry Web Proxy Google Workspace

Required Tables

NETWORK_HTTP PROCESS_LAUNCH FILE_CREATION

False Positives

Browser extensions or plugins that legitimately spawn helper processes — e.g., PDF readers (AcroRd32.exe), video codec installers, accessibility tools launched via browser
Legitimate software update mechanisms triggered through the browser — Chrome or Firefox update pipelines may invoke msiexec.exe or cmd.exe to apply updates
Developer workflows using browser-based IDEs, build tools, or debugging extensions that spawn local script interpreters or Node.js processes
Enterprise protocol handlers (custom URI schemes such as myapp://) that allow browsers to launch registered desktop applications or scripts
Download managers integrated with browsers that save executable files to standard temp directories before user-initiated installation

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| ImageFileName = /certutil|bitsadmin|curl|wget/i
| CommandHistory = /urlcache|transfer|download|http/i
| case {
    CommandHistory = /\.exe|\.dll|\.bin/i | FileType := "Executable";
    CommandHistory = /\.ps1|\.bat|\.vbs/i | FileType := "Script";
    * | FileType := "Other"
  }
| table([@timestamp, UserName, ComputerName, ImageFileName, CommandHistory, FileType])

high severity medium confidence

Data Sources

ProcessRollup2 (Falcon sensor) NetworkConnectIP4 (Falcon sensor)

Required Tables

ProcessRollup2 NetworkConnectIP4 DetectionSummaryEvent

False Positives

Browser extensions or plugins that legitimately spawn helper processes — e.g., PDF readers (AcroRd32.exe), video codec installers, accessibility tools launched via browser
Legitimate software update mechanisms triggered through the browser — Chrome or Firefox update pipelines may invoke msiexec.exe or cmd.exe to apply updates
Developer workflows using browser-based IDEs, build tools, or debugging extensions that spawn local script interpreters or Node.js processes
Enterprise protocol handlers (custom URI schemes such as myapp://) that allow browsers to launch registered desktop applications or scripts
Download managers integrated with browsers that save executable files to standard temp directories before user-initiated installation

Drive-by Target

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Resource Development

Popular Detections