← Back to SOC feed Coverage →

Potential Suspicious Browser Launch From Document Reader Process

sigma MEDIUM SigmaHQ
T1204.002
imProcessCreate
phishing
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-20T23:00:01Z · Confidence: medium

Hunt Hypothesis

Detects when a browser process or browser tab is launched from an application that handles document files such as Adobe, Microsoft Office, etc. And connects to a web application over http(s), this cou

Detection Rule

Sigma (Original)

title: Potential Suspicious Browser Launch From Document Reader Process
id: 1193d960-2369-499f-a158-7b50a31df682
status: test
description: |
    Detects when a browser process or browser tab is launched from an application that handles document files such as Adobe, Microsoft Office, etc. And connects to a web application over http(s), this could indicate a possible phishing attempt.
references:
    - https://app.any.run/tasks/69c5abaa-92ad-45ba-8c53-c11e23e05d04/ # PDF Document
    - https://app.any.run/tasks/64043a79-165f-4052-bcba-e6e49f847ec1/ # Office Document
author: Joseph Kamau
date: 2024-05-27
modified: 2025-10-07
tags:
    - attack.execution
    - attack.t1204.002
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        ParentImage|contains:
            - 'Acrobat Reader'
            - 'Microsoft Office'
            - 'PDF Reader'
        Image|endswith:
            - '\brave.exe'
            - '\chrome.exe'
            - '\firefox.exe'
            - '\msedge.exe'
            - '\opera.exe'
            - '\maxthon.exe'
            - '\seamonkey.exe'
            - '\vivaldi.exe'
        CommandLine|contains: 'http'
    filter_main_microsoft_help:
        CommandLine|contains: 'https://go.microsoft.com/fwlink/'
    filter_optional_foxit:
        CommandLine|contains:
            - 'http://ad.foxitsoftware.com/adlog.php?'
            - 'https://globe-map.foxitservice.com/go.php?do=redirect'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unlikely in most cases, further investigation should be done in the commandline of the browser process to determine the context of the URL accessed.
level: medium

KQL (Azure Sentinel)

imProcessCreate
| where (((ParentProcessName contains "Acrobat Reader" or ParentProcessName contains "Microsoft Office" or ParentProcessName contains "PDF Reader") or (ActingProcessName contains "Acrobat Reader" or ActingProcessName contains "Microsoft Office" or ActingProcessName contains "PDF Reader")) and (TargetProcessName endswith "\\brave.exe" or TargetProcessName endswith "\\chrome.exe" or TargetProcessName endswith "\\firefox.exe" or TargetProcessName endswith "\\msedge.exe" or TargetProcessName endswith "\\opera.exe" or TargetProcessName endswith "\\maxthon.exe" or TargetProcessName endswith "\\seamonkey.exe" or TargetProcessName endswith "\\vivaldi.exe") and TargetProcessCommandLine contains "http") and (not(TargetProcessCommandLine contains "https://go.microsoft.com/fwlink/")) and (not(((TargetProcessCommandLine contains "http://ad.foxitsoftware.com/adlog.php") or (TargetProcessCommandLine contains "https://globe-map.foxitservice.com/go.php" and TargetProcessCommandLine contains "do=redirect"))))

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_browser_launch_from_document_reader_process.yml