```yaml title: Browser Spawning Script or Shell Execution id: edr-win-exec-browser-to-shell status: stable description: > Detects browsers spawning script hosts or shells (wscript, cscript, powershell, mshta), indicative of IAB delivery patterns like SocGholish FakeUpdates where Update.js executes directly from Chrome without user interaction beyond the initial click. references: - https://attack.mitre.org/techniques/T1059/ - https://attack.mitre.org/techniques/T1566/002/ author: ShroudCloud date: 2026/04/16 tags: - attack.execution - attack.initial_access - attack.t1059.001 - attack.t1059.005 - attack.t1566.002 logsource: category: process_creation product: windows detection: selection: ParentImage|contains: - 'chrome' - 'msedge' - 'firefox' - 'chromium' - 'vivaldi' - 'iexplore' - 'opera' - 'brave' Image|endswith: - '\wscript.exe' - '\cscript.exe' - '\powershell.exe' - '\powershell_ise.exe' - '\pwsh.exe' - '\mshta.exe' condition: selection falsepositives: - Legitimate browser extensions or IT deployment scripts level: high ```