Browser Spawns Scripting Interpreter — Fake Update Delivery Indicator
Detects when a web browser directly spawns a scripting interpreter such as PowerShell, cmd.exe, or wscript.exe. This execution chain does not occur during normal user activity and is the primary delivery mechanism used by SocGholish and FakeUpdates campaigns distributing ransomware and banking trojans through compromised websites presenting fake browser update prompts.
EDRfake-updatebrowser-spawninitial-accesssocgholishdrive-byT1189T1059.001T1059.003
FDR Beginnerby darkreitor 1 min read
Query
#repo="base_sensor" #event_simpleName=ProcessRollup2
| ParentBaseFileName=/(?i)(chrome\.exe|firefox\.exe|msedge\.exe|iexplore\.exe)/
| FileName=/(?i)(powershell\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe)/
| select([ComputerName, UserName, ParentBaseFileName, FileName, CommandLine, @timestamp])
| sort(@timestamp, order=desc, limit=100)Explanation
| Pipe | Descripción | |
|---|---|---|
#repo="base_sensor" #event_simpleName=ProcessRollup2 | Select process creation events from FDR endpoint telemetry collected by the Falcon sensor | |
| `ParentBaseFileName=/(?i)(chrome\.exe\ | ...)/` | Match when a major web browser is the parent process — this execution relationship should not occur during normal browsing activity |
| `FileName=/(?i)(powershell\.exe\ | ...)/` | Match scripting interpreters and Windows Script Host binaries used as first-stage loaders in fake browser update malware campaigns |
select([...]) | Return key forensic fields for investigation: hostname, user, parent browser, child process, command line, and timestamp | |
sort(@timestamp, order=desc, limit=100) | Display the most recent events first to support real-time detection and rapid incident response |
Adjustable Variables
Add brave.exe, opera.exe, or vivaldi.exe to ParentBaseFileName to expand browser coverage based on your organization's approved software list. Add a NOT filter on CommandLine to exclude known-safe browser extension helper processes if false positives arise from enterprise tooling. Raise limit above 100 for retrospective hunting across a broader historical window.