detection.wiki

Detection rules › Splunk

Windows Process Injection Of Wermgr to Known Browser

Author
Teoderick Contreras, Splunk
Source
upstream

The following analytic identifies the suspicious remote thread execution of the wermgr.exe process into known browsers such as firefox.exe, chrome.exe, and others. It leverages Sysmon EventCode 8 logs to detect this behavior by monitoring SourceImage and TargetImage fields. This activity is significant because it is indicative of Qakbot malware, which injects malicious code into legitimate processes to steal information. If confirmed malicious, this activity could allow attackers to execute arbitrary code, escalate privileges, and exfiltrate sensitive data from the compromised host.

MITRE ATT&CK coverage

TacticTechniques
Privilege EscalationT1055.001 Process Injection: Dynamic-link Library Injection
Defense EvasionT1055.001 Process Injection: Dynamic-link Library Injection

Event coverage

ProviderEvent IDTitle
Sysmon8CreateRemoteThread

Stages and Predicates

Stage 1: search

search EventCode=8 SourceImage="*\\wermgr.exe" TargetImage IN ("*\\chrome.exe", "*\\firefox.exe", "*\\iexplore.exe", "*\\microsoftedgecp.exe")

Stage 2: stats

stats BY EventID, Guid, NewThreadId, ProcessID, SecurityID, SourceImage, SourceProcessGuid, SourceProcessId, StartAddress, StartFunction, StartModule, TargetImage, TargetProcessGuid, TargetProcessId, UserID, dest, parent_process_exec, parent_process_guid, parent_process_id, parent_process_name, parent_process_path, process_exec, process_guid, process_id, process_name, process_path, signature, signature_id, user_id, vendor_product

Stage 3: search

search

Stage 4: search

search

Stage 5: search

search `macro`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
EventCodeeq
  • 8 corpus 8 (splunk 8)
SourceImageeq
  • "*\\wermgr.exe" corpus 2 (splunk 2)
TargetImagein
  • "*\\chrome.exe" corpus 3 (splunk 3)
  • "*\\firefox.exe" corpus 3 (splunk 3)
  • "*\\iexplore.exe" corpus 2 (splunk 2)
  • "*\\microsoftedgecp.exe" corpus 2 (splunk 2)