Detection: Windows Process Injection Of Wermgr to Known Browser

DEPRECATED DETECTION

This detection has been marked as deprecated by the Splunk Threat Research team. This means that it will no longer be maintained or supported. If you have any questions or concerns, please reach out to us at research@splunk.com.

Description

The following analytic identifies the suspicious remote thread execution of the wermgr.exe process into known browsers such as firefox.exe, chrome.exe, and others. It leverages Sysmon EventCode 8 logs to detect this behavior by monitoring SourceImage and TargetImage fields. This activity is significant because it is indicative of Qakbot malware, which injects malicious code into legitimate processes to steal information. If confirmed malicious, this activity could allow attackers to execute arbitrary code, escalate privileges, and exfiltrate sensitive data from the compromised host.

 1`sysmon`
 2EventCode=8
 3SourceImage="*\\wermgr.exe"
 4TargetImage IN ("*\\firefox.exe", "*\\chrome.exe", "*\\iexplore.exe","*\\microsoftedgecp.exe")
 5
 6| stats count min(_time) as firstTime
 7              max(_time) as lastTime
 8              values(NewThreadId) as "NewThreadId"
 9              values(StartAddress) as "StartAddress"
10  by dest signature_id signature
11     SourceProcessGuid SourceProcessId SourceImage
12     TargetProcessGuid TargetProcessId TargetImage
13     StartModule StartFunction
14     SourceUser TargetUser vendor_product
15
16| `security_content_ctime(firstTime)`
17
18| `security_content_ctime(lastTime)`
19
20| `windows_process_injection_of_wermgr_to_known_browser_filter`

Data Source

Name Platform Sourcetype Source
Sysmon EventID 8 Windows icon Windows 'XmlWinEventLog' 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational'

Macros Used

Name Value
security_content_ctime convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$)
windows_process_injection_of_wermgr_to_known_browser_filter search *
windows_process_injection_of_wermgr_to_known_browser_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK
+ Kill Chain Phases
+ NIST
+ CIS
- Threat Actors
ID Technique Tactic
T1055.001 Dynamic-link Library Injection Privilege Escalation
Exploitation
DE.CM
CIS 10

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting Value
Disabled true
Cron Schedule 0 * * * *
Earliest Time -70m@m
Latest Time -10m@m
Schedule Window auto
Creates Finding (Notable) Yes
Rule Title %name%
Rule Description %description%
Notable Event Fields user, dest
Creates Intermediate Finding (Risk Event) No
TTP detections generate a Finding (Notable) and may generate Intermediate Findings (Risk Events) for associated entities.

Implementation

To successfully implement this search, you need to be ingesting logs with the SourceImage, TargetImage, and EventCode executions from your endpoints related to create remote thread or injecting codes. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.

Known False Positives

No false positives have been identified at this time.

Associated Analytic Story

Finding

Title Entity Field Entity Type Risk Score
wermgr.exe process $SourceImage$ create a remote thread to a browser process $TargetImage$ in host $dest$ dest system 50

References

Detection Testing

Test Type Status Dataset Source Sourcetype
Validation Not Applicable N/A N/A N/A
Unit Passing Dataset XmlWinEventLog:Microsoft-Windows-Sysmon/Operational XmlWinEventLog
Integration ❌ Failing Dataset XmlWinEventLog:Microsoft-Windows-Sysmon/Operational XmlWinEventLog

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range


Source: GitHub |

Version: 12