Chrome Spawned by Powershell with Load-Extension in Command Line
Detects instances of the Chrome browser executable spawning from PowerShell with a corresponding command line that includes appdata\local as a parameter.
Sigma rule (View on GitHub)
1title: Chrome Spawned by Powershell with Load-Extension in Command Line
2id: 4007bc45-1727-405d-a7bc-4b3d441bf08f
3status: experimental
4description: Detects instances of the Chrome browser executable spawning from PowerShell with a corresponding command line that includes appdata\local as a parameter.
5references:
6 - https://redcanary.com/blog/chromeloader/
7 - https://blogs.vmware.com/security/2022/09/the-evolution-of-the-chromeloader-malware.html
8author: Micah Babinski
9date: 2022/11/07
10tags:
11 - attack.persistence
12 - attack.t1176
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 ParentImage|endswith: '\powershell.exe'
19 Image|endswith: '\chrome.exe'
20 CommandLine|contains|all:
21 - 'appdata\local'
22 - 'load-extension'
23 condition: selection
24falsepositives:
25 - Unknown
26level: high```
References
-
ChromeLoader might seem like a run-of-the-mill browser hijacker, but its peculiar use of PowerShell could spell deeper trouble.
Read More -
The VMware Carbon Black MDR team goes in depth on the latest variants of the Chromeloader malware and how to detect them.
Read More
Related rules
- Command Shell Unusual or Suspicious Process Ancestry
- Windows Scheduled Task Behaving Improperly or Suspiciously
- Windows Scheduled Task Create Shell
- Windows Scheduled Task Making Suspicious Network Connection