Chromium-Based Browser Hunting via DLL Load
This query identifies Chromium-based browsers by detecting the loading of chrome.dll into running processes. Unlike simple process name checks, this method helps uncover browsers that may not be named chrome.exe but still rely on Chromium components. The query excludes known chrome.exe processes to highlight less obvious Chromium-based browsers, although it’s important to note that not all Chromium-based browsers necessarily load chrome.dll.
EDRhunting
FDR intermediatepor ByteRay GmbH (cql-hub.com) 1 min read
Query
defineTable(query={#event_simpleName=ClassifiedModuleLoad
| ImageFileName=/chrome\.dll/i
| TargetImageFileName!=/chrome\.exe/i}, include=[ComputerName, TargetProcessId], name="DllLoads")
| #event_simpleName=ProcessRollup2 TargetProcessId=*
| match(table="DllLoads", field=[TargetProcessId])
| table([@timestamp, aid, ComputerName, FileName, TargetProcessId, ImageFileName, TargetImageFileName])Explicación
Importado desde cql-hub.com. Agrega explicación de pipes aquí.
Variables a ajustar
Revisa y ajusta los valores según tu entorno.