Elastic Security Detection Rules

Potential Masquerading as Browser Process

Last updated 9 days ago on 2025-05-05
Created 2 years ago on 2023-08-02

About

Identifies suspicious instances of browser processes, such as unsigned or signed with unusual certificates, that can indicate an attempt to conceal malicious activity, bypass security features such as allowlists, or trick users into executing malware.
Tags
Domain: EndpointOS: WindowsUse Case: Threat DetectionTactic: Defense EvasionTactic: PersistenceRule Type: BBRData Source: Elastic DefendLanguage: eql
Severity
low
Risk Score
21
MITRE ATT&CK™

Defense Evasion (TA0005)(opens in a new tab or window)

Masquerading (T1036)(opens in a new tab or window)

Persistence (TA0003)(opens in a new tab or window)

Compromise Host Software Binary (T1554)(opens in a new tab or window)

License
Elastic License v2(opens in a new tab or window)

Definition

Rule Type
Event Correlation Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-endpoint.events.process-*
Related Integrations

endpoint(opens in a new tab or window)

Query
process where host.os.type == "windows" and event.type == "start" and
  (
    /* Chrome Related Processes */
    (
      process.name : (
        "chrome.exe", "GoogleUpdate.exe", "GoogleCrashHandler64.exe", "GoogleCrashHandler.exe",
        "GoogleUpdateComRegisterShell64.exe", "GoogleUpdateSetup.exe", "GoogleUpdateOnDemand.exe",
        "chrome_proxy.exe", "remote_assistance_host.exe", "remoting_native_messaging_host.exe",
        "GoogleUpdateBroker.exe"
      ) and
      not (process.code_signature.subject_name in ("Google LLC", "Google Inc") and process.code_signature.trusted == true) and
      not (
        process.executable : (
          "?:\\Program Files\\HP\\Sure Click\\servers\\chrome.exe",
          "?:\\Program Files\\HP\\Sure Click\\*\\servers\\chrome.exe"
        ) and
        process.code_signature.subject_name == "Bromium, Inc." and process.code_signature.trusted == true
      ) and
      not (
        process.executable : "?:\\Program Files\\dynatrace\\synthetic\\Chrome-bin\\chrome.exe" and
        process.code_signature.subject_name == "Dynatrace LLC" and process.code_signature.trusted == true
      ) and
      not (
        process.executable : "?:\\Users\\*\\Desktop\\CentBrowser\\chrome.exe" and
        process.code_signature.subject_name == "MV INFORMATICA NORDESTE LTDA" and process.code_signature.trusted == true
      ) and
      not (
        process.executable : (
          "?:\\Users\\*\\AppData\\Local\\ms-playwright\\chromium-*\\chrome-win\\chrome.exe",
          "?:\\Users\\*\\AppData\\Local\\Programs\\synthetics-recorder\\resources\\local-browsers\\chromium-*\\chrome-win\\chrome.exe",
          "*\\node_modules\\puppeteer\\*\\win64-*\\chrome-win\\chrome.exe",
          "?:\\Program Files (x86)\\Invicti Professional Edition\\chromium\\chrome.exe",
          "?:\\Program Files\\End2End, Inc\\ARMS Html Engine\\chrome.exe",
          "?:\\Users\\*\\AppData\\Local\\*BurpSuitePro\\burpbrowser\\*\\chrome.exe",
          "?:\\Users\\*\\AppData\\Roaming\\*BurpSuite\\burpbrowser\\*\\chrome.exe",
          "?:\\Gradient\\Connector.Service\\runtimes\\win-x64\\native\\chrome.exe",
          "?:\\Program Files (x86)\\Netsparker Enterprise Agent-?\\chromium\\chrome.exe"
        ) and process.args: (
                "--enable-features=NetworkService,NetworkServiceInProcess",
                "--type=crashpad-handler", "--enable-automation", "--disable-xss-auditor"
              )
      )
    ) or

    /* MS Edge Related Processes */
    (
      process.name : (
        "msedge.exe", "MicrosoftEdgeUpdate.exe", "identity_helper.exe", "msedgewebview2.exe",
        "MicrosoftEdgeWebview2Setup.exe", "MicrosoftEdge_X*.exe", "msedge_proxy.exe",
        "MicrosoftEdgeUpdateCore.exe", "MicrosoftEdgeUpdateBroker.exe", "MicrosoftEdgeUpdateSetup_X*.exe",
        "MicrosoftEdgeUpdateComRegisterShell64.exe", "msedgerecovery.exe", "MicrosoftEdgeUpdateSetup.exe"
      ) and
      not (process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true) and
      not (
        process.name : "msedgewebview2.exe" and
        process.code_signature.subject_name in ("Bromium, Inc.", "Amazon.com Services LLC", "Code Systems Corporation") and
        process.code_signature.trusted == true
      ) and
      not process.executable : "?:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe"
    ) or

    /* Brave Related Processes */
    (
      process.name : (
        "brave.exe", "BraveUpdate.exe", "BraveCrashHandler64.exe", "BraveCrashHandler.exe",
        "BraveUpdateOnDemand.exe", "brave_vpn_helper.exe", "BraveUpdateSetup*.exe",
        "BraveUpdateComRegisterShell64.exe"
      ) and
      not (process.code_signature.subject_name in ("Brave Software, Inc.", "Google Inc") and process.code_signature.trusted == true)
    ) or

    /* Firefox Related Processes */
    (
      process.name : (
        "firefox.exe", "pingsender.exe", "default-browser-agent.exe", "maintenanceservice.exe",
        "plugin-container.exe", "maintenanceservice_tmp.exe", "maintenanceservice_installer.exe",
        "minidump-analyzer.exe"
      ) and
      not (process.code_signature.subject_name == "Mozilla Corporation" and process.code_signature.trusted == true) and
      not (
        process.name : "default-browser-agent.exe" and
        process.code_signature.subject_name in ("WATERFOX LIMITED") and process.code_signature.trusted == true
      ) and
      not process.hash.sha256 == "ddc7a6c3a4b50d23daffe8e364c575fd7df9af9711b14d153b09553ddd3670a0" and
      not process.executable : "?:\\Users\\*\\AppData\\Local\\ms-playwright\\firefox-*\\firefox\\firefox.exe"
    ) or

    /* Island Related Processes */
    (
      process.name : (
        "Island.exe", "IslandUpdate.exe", "IslandCrashHandler.exe", "IslandCrashHandler64.exe",
        "IslandUpdateBroker.exe", "IslandUpdateOnDemand.exe", "IslandUpdateComRegisterShell64.exe",
        "IslandUpdateSetup.exe"
      ) and
      not (process.code_signature.subject_name == "Island Technology Inc." and process.code_signature.trusted == true)
    ) or

    /* Opera Related Processes */
    (
      process.name : ("opera.exe", "opera_*.exe", "browser_assistant.exe") and
      not (process.code_signature.subject_name in ("Opera Norway AS", "Opera Software AS") and process.code_signature.trusted == true)
    ) or

    /* Whale Related Processes */
    (
      process.name : ("whale.exe", "whale_update.exe", "wusvc.exe") and
      not (process.code_signature.subject_name == "NAVER Corp." and process.code_signature.trusted == true)
    ) or

    /* Chromium-based Browsers processes */
    (
      process.name : ("chrmstp.exe", "notification_helper.exe", "elevation_service.exe") and
      not (
        process.code_signature.subject_name in (
          "Island Technology Inc.",
          "Citrix Systems, Inc.",
          "Brave Software, Inc.",
          "Google LLC",
          "Google Inc",
          "Microsoft Corporation",
          "NAVER Corp.",
          "AVG Technologies USA, LLC",
          "Avast Software s.r.o.",
          "PIRIFORM SOFTWARE LIMITED",
          "NortonLifeLock Inc.",
          "Opera Norway AS"
        ) and process.code_signature.trusted == true
      )
    )
  )

Install detection rules in Elastic Security

Detect Potential Masquerading as Browser Process in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).