Searching for PowerShell Invoking a Browser

PowerShell can invoke a browser; however, this is not typical behavior. If you have any hits on the following queries, you must investigate it.

For example:

You can query each PowerShell-invoked browser one at a time:

parent_name:powershell.exe AND childproc_name:iexplore.exe

parent_name:powershell.exe AND childproc_name:firefox.exe

parent_name:powershell.exe AND childproc_name:chrome.exe

You can search for the three PowerShell-invoked browsers at one time:

parent_name:powershell.exe AND (childproc_name:iexplore.exe OR childproc_name:firefox.exe OR childproc_name:chrome.exe)