| ID | Technique | Tactic |
|---|---|---|
| T1055.001 | Dynamic-link Library Injection | Privilege Escalation |
Detection: Windows Uncommon Remote Thread Creation In Browser Process
Description
The following analytic identifies the creation of a remote thread by a process such as wermgr.exe or rundll32.exe into a browser process such as firefox.exe, chrome.exe, and others. These processes do not typically create remote threads, in browser processes. It leverages Sysmon EventID 8 to detect this behavior by monitoring SourceImage and TargetImage fields. This activity is significant because it is commonly associated with malware like Qakbot and IcedID, which injects malicious code into legitimate processes to steal information. If confirmed malicious, this activity could allow attackers to execute arbitrary code, escalate privileges, and exfiltrate sensitive data from the compromised host.
Search
1`sysmon`
2EventCode=8
3SourceImage IN (
4 "*\\rundll32.exe",
5 "*\\wermgr.exe"
6)
7TargetImage IN (
8 "*\\Sputnik.exe",
9 "*\\ChromePlus.exe",
10 "*\\QIP Surf.exe",
11 "*\\BlackHawk.exe",
12 "*\\7Star.exe",
13 "*\\Sleipnir5.exe",
14 "*\\Citrio.exe",
15 "*\\Chrome SxS.exe",
16 "*\\Chrome.exe",
17 "*\\Coowon.exe",
18 "*\\CocCocBrowser.exe",
19 "*\\Uran.exe",
20 "*\\QQBrowser.exe",
21 "*\\Orbitum.exe",
22 "*\\Slimjet.exe",
23 "*\\Iridium.exe",
24 "*\\Vivaldi.exe",
25 "*\\Chromium.exe",
26 "*\\GhostBrowser.exe",
27 "*\\CentBrowser.exe",
28 "*\\Xvast.exe",
29 "*\\Chedot.exe",
30 "*\\SuperBird.exe",
31 "*\\360Browser.exe",
32 "*\\360Chrome.exe",
33 "*\\dragon.exe",
34 "*\\brave.exe",
35 "*\\torch.exe",
36 "*\\UCBrowser.exe",
37 "*\\BliskBrowser.exe",
38 "*\\Epic Privacy Browser.exe",
39 "*\\nichrome.exe",
40 "*\\AmigoBrowser.exe",
41 "*\\KometaBrowser.exe",
42 "*\\XpomBrowser.exe",
43 "*\\msedge.exe",
44 "*\\LiebaoBrowser.exe",
45 "*\\AvastBrowser.exe",
46 "*\\Kinza.exe",
47 "*\\seamonkey.exe",
48 "*\\icedragon.exe",
49 "*\\cyberfox.exe",
50 "*\\SlimBrowser.exe",
51 "*\\palemoon.exe",
52 "*\\opera.exe",
53 "*\\yandex.exe",
54 "*\\atom.exe",
55 "*\\Chromodo.exe",
56 "*\\360chrome.exe",
57 "*\\360se.exe",
58 "*\\Maxthon.exe",
59 "*\\k-meleon.exe",
60 "*\\SLBrowser.exe",
61 "*\\Go!.exe",
62 "*\\Secure Browser.exe",
63 "*\\Elements Browser.exe",
64 "*\\Mustang.exe",
65 "*\\Suhba.exe",
66 "*\\TorBro.exe",
67 "*\\RockMelt.exe",
68 "*\\Bromium.exe",
69 "*\\Twinkstar.exe",
70 "*\\iTop Private Browser.exe",
71 "*\\CCleaner Browser.exe",
72 "*\\AcWebBrowser.exe",
73 "*\\CoolNovo.exe",
74 "*\\spark.exe",
75 "*\\iron.exe",
76 "*\\Titan Browser.exe",
77 "*\\AVG Browser.exe",
78 "*\\UR Browser.exe",
79 "*\\Flock.exe",
80 "*\\CryptoTab Browser.exe",
81 "*\\Sidekick.exe",
82 "*\\SwingBrowser.exe",
83 "*\\SalamWeb.exe",
84 "*\\NetboxBrowser.exe",
85 "*\\GarenaPlus.exe",
86 "*\\InsomniacBrowser.exe",
87 "*\\Viasat Browser.exe",
88 "*\\whale.exe",
89 "*\\falkon.exe",
90 "*\\SogouExplorer.exe",
91 "*\\firefox.exe",
92 "*\\waterfox.exe",
93 "*\\thunderbird.exe",
94 "*\\basilisk.exe",
95 "*\\BitTubeBrowser.exe"
96)
97
98| stats count min(_time) as firstTime
99 max(_time) as lastTime
100 values(NewThreadId) as "NewThreadId"
101 values(StartAddress) as "StartAddress"
102 by dest signature_id signature
103 SourceProcessGuid SourceProcessId SourceImage
104 TargetProcessGuid TargetProcessId TargetImage
105 StartModule StartFunction vendor_product
106
107| `security_content_ctime(firstTime)`
108
109| `security_content_ctime(lastTime)`
110
111| `windows_uncommon_remote_thread_creation_in_browser_process_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Sysmon EventID 8 | 'XmlWinEventLog' |
'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' |
Macros Used
| Name | Value |
|---|---|
| sysmon | (source=WinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational) |
| windows_uncommon_remote_thread_creation_in_browser_process_filter | search * |
windows_uncommon_remote_thread_creation_in_browser_process_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Finding (Notable) | No |
| Creates Intermediate Finding (Risk Event) | Yes |
Implementation
To successfully implement this search, you need to be ingesting logs with the SourceImage, TargetImage, and EventCode executions from your endpoints related to create remote thread or injecting codes. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.
Known False Positives
No false positives have been identified at this time.
Associated Analytic Story
Intermediate Findings
| Message | Entity Field | Entity Type | Risk Score |
|---|---|---|---|
| The process [$SourceImage$] created a remote thread into the browser process [$TargetImage$] in host $dest$. | dest | system | 20 |
Threat Objects
| Field | Type |
|---|---|
| TargetImage | process_name |
| SourceImage | process_name |
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
XmlWinEventLog |
| Integration | ✅ Passing | Dataset | XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
XmlWinEventLog |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub |
Version: 1