Detection: Windows Uncommon Remote Thread Creation In Browser Process

Description

The following analytic identifies the creation of a remote thread by a process such as wermgr.exe or rundll32.exe into a browser process such as firefox.exe, chrome.exe, and others. These processes do not typically create remote threads, in browser processes. It leverages Sysmon EventID 8 to detect this behavior by monitoring SourceImage and TargetImage fields. This activity is significant because it is commonly associated with malware like Qakbot and IcedID, which injects malicious code into legitimate processes to steal information. If confirmed malicious, this activity could allow attackers to execute arbitrary code, escalate privileges, and exfiltrate sensitive data from the compromised host.

  1`sysmon`
  2EventCode=8
  3SourceImage IN (
  4    "*\\rundll32.exe",
  5    "*\\wermgr.exe"
  6)
  7TargetImage IN (
  8    "*\\Sputnik.exe",
  9    "*\\ChromePlus.exe",
 10    "*\\QIP Surf.exe",
 11    "*\\BlackHawk.exe",
 12    "*\\7Star.exe",
 13    "*\\Sleipnir5.exe",
 14    "*\\Citrio.exe",
 15    "*\\Chrome SxS.exe",
 16    "*\\Chrome.exe",
 17    "*\\Coowon.exe",
 18    "*\\CocCocBrowser.exe",
 19    "*\\Uran.exe",
 20    "*\\QQBrowser.exe",
 21    "*\\Orbitum.exe",
 22    "*\\Slimjet.exe",
 23    "*\\Iridium.exe",
 24    "*\\Vivaldi.exe",
 25    "*\\Chromium.exe",
 26    "*\\GhostBrowser.exe",
 27    "*\\CentBrowser.exe",
 28    "*\\Xvast.exe",
 29    "*\\Chedot.exe",
 30    "*\\SuperBird.exe",
 31    "*\\360Browser.exe",
 32    "*\\360Chrome.exe",
 33    "*\\dragon.exe",
 34    "*\\brave.exe",
 35    "*\\torch.exe",
 36    "*\\UCBrowser.exe",
 37    "*\\BliskBrowser.exe",
 38    "*\\Epic Privacy Browser.exe",
 39    "*\\nichrome.exe",
 40    "*\\AmigoBrowser.exe",
 41    "*\\KometaBrowser.exe",
 42    "*\\XpomBrowser.exe",
 43    "*\\msedge.exe",
 44    "*\\LiebaoBrowser.exe",
 45    "*\\AvastBrowser.exe",
 46    "*\\Kinza.exe",
 47    "*\\seamonkey.exe",
 48    "*\\icedragon.exe",
 49    "*\\cyberfox.exe",
 50    "*\\SlimBrowser.exe",
 51    "*\\palemoon.exe",
 52    "*\\opera.exe",
 53    "*\\yandex.exe",
 54    "*\\atom.exe",
 55    "*\\Chromodo.exe",
 56    "*\\360chrome.exe",
 57    "*\\360se.exe",
 58    "*\\Maxthon.exe",
 59    "*\\k-meleon.exe",
 60    "*\\SLBrowser.exe",
 61    "*\\Go!.exe",
 62    "*\\Secure Browser.exe",
 63    "*\\Elements Browser.exe",
 64    "*\\Mustang.exe",
 65    "*\\Suhba.exe",
 66    "*\\TorBro.exe",
 67    "*\\RockMelt.exe",
 68    "*\\Bromium.exe",
 69    "*\\Twinkstar.exe",
 70    "*\\iTop Private Browser.exe",
 71    "*\\CCleaner Browser.exe",
 72    "*\\AcWebBrowser.exe",
 73    "*\\CoolNovo.exe",
 74    "*\\spark.exe",
 75    "*\\iron.exe",
 76    "*\\Titan Browser.exe",
 77    "*\\AVG Browser.exe",
 78    "*\\UR Browser.exe",
 79    "*\\Flock.exe",
 80    "*\\CryptoTab Browser.exe",
 81    "*\\Sidekick.exe",
 82    "*\\SwingBrowser.exe",
 83    "*\\SalamWeb.exe",
 84    "*\\NetboxBrowser.exe",
 85    "*\\GarenaPlus.exe",
 86    "*\\InsomniacBrowser.exe",
 87    "*\\Viasat Browser.exe",
 88    "*\\whale.exe",
 89    "*\\falkon.exe",
 90    "*\\SogouExplorer.exe",
 91    "*\\firefox.exe",
 92    "*\\waterfox.exe",
 93    "*\\thunderbird.exe",
 94    "*\\basilisk.exe",
 95    "*\\BitTubeBrowser.exe"
 96)
 97
 98| stats count min(_time) as firstTime
 99              max(_time) as lastTime
100              values(NewThreadId) as "NewThreadId"
101              values(StartAddress) as "StartAddress"
102  by dest signature_id signature
103     SourceProcessGuid SourceProcessId SourceImage
104     TargetProcessGuid TargetProcessId TargetImage
105     StartModule StartFunction vendor_product
106
107| `security_content_ctime(firstTime)`
108
109| `security_content_ctime(lastTime)`
110
111| `windows_uncommon_remote_thread_creation_in_browser_process_filter`

Data Source

Name Platform Sourcetype Source
Sysmon EventID 8 Windows icon Windows 'XmlWinEventLog' 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational'

Macros Used

Name Value
sysmon (source=WinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational)
windows_uncommon_remote_thread_creation_in_browser_process_filter search *
windows_uncommon_remote_thread_creation_in_browser_process_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK
+ Kill Chain Phases
+ NIST
+ CIS
- Threat Actors
ID Technique Tactic
T1055.001 Dynamic-link Library Injection Privilege Escalation
Exploitation
DE.AE
CIS 10

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting Value
Disabled true
Cron Schedule 0 * * * *
Earliest Time -70m@m
Latest Time -10m@m
Schedule Window auto
Creates Finding (Notable) No
Creates Intermediate Finding (Risk Event) Yes
Anomaly detections generate Intermediate Findings (Risk Events). They do not generate a Finding (Notable) directly.

Implementation

To successfully implement this search, you need to be ingesting logs with the SourceImage, TargetImage, and EventCode executions from your endpoints related to create remote thread or injecting codes. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.

Known False Positives

No false positives have been identified at this time.

Associated Analytic Story

Intermediate Findings

Message Entity Field Entity Type Risk Score
The process [$SourceImage$] created a remote thread into the browser process [$TargetImage$] in host $dest$. dest system 20

Threat Objects

Field Type
TargetImage process_name
SourceImage process_name

References

Detection Testing

Test Type Status Dataset Source Sourcetype
Validation Passing N/A N/A N/A
Unit Passing Dataset XmlWinEventLog:Microsoft-Windows-Sysmon/Operational XmlWinEventLog
Integration ✅ Passing Dataset XmlWinEventLog:Microsoft-Windows-Sysmon/Operational XmlWinEventLog

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range


Source: GitHub |

Version: 1