Detection rules › Splunk
Rundll32 CreateRemoteThread In Browser
The following analytic detects the suspicious creation of a remote thread by rundll32.exe targeting browser processes such as firefox.exe, chrome.exe, iexplore.exe, and microsoftedgecp.exe. This detection leverages Sysmon EventCode 8, focusing on SourceImage and TargetImage fields to identify the behavior. This activity is significant as it is commonly associated with malware like IcedID, which hooks browsers to steal sensitive information such as banking details. If confirmed malicious, this could allow attackers to intercept and exfiltrate sensitive user data, leading to potential financial loss and privacy breaches.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Privilege Escalation | T1055 Process Injection |
| Defense Evasion | T1055 Process Injection |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 8 | CreateRemoteThread |
Stages and Predicates
Stage 1: search
search EventCode=8 SourceImage="*\\rundll32.exe" TargetImage IN ("*\\chrome.exe", "*\\firefox.exe", "*\\iexplore.exe", "*\\microsoftedgecp.exe")
Stage 2: stats
stats BY EventID, Guid, NewThreadId, ProcessID, SecurityID, SourceImage, SourceProcessGuid, SourceProcessId, StartAddress, StartFunction, StartModule, TargetImage, TargetProcessGuid, TargetProcessId, UserID, dest, parent_process_exec, parent_process_guid, parent_process_id, parent_process_name, parent_process_path, process_exec, process_guid, process_id, process_name, process_path, signature, signature_id, user_id, vendor_product
Stage 3: search
search
Stage 4: search
search
Stage 5: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
SourceImage | eq |
|
TargetImage | in |
|