Detection rules › Splunk
Windows Unusual Process Load Mozilla NSS-Mozglue Module
The following analytic identifies processes loading Mozilla NSS-Mozglue libraries such as mozglue.dll and nss3.dll. It leverages Sysmon Event logs, specifically monitoring EventCode 7, which tracks image loaded events. This activity is significant because it can indicate unauthorized access or manipulation of these libraries, which are commonly used by Mozilla applications like Firefox and Thunderbird. If confirmed malicious, this could lead to data exfiltration, credential theft, or further compromise of the system.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Defense Evasion | T1218.003 System Binary Proxy Execution: CMSTP |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 7 | Image loaded |
Stages and Predicates
Stage 1: search
search NOT process_path IN ("*:\\Program Files (x86)\Mozilla Firefox\\firefox.exe", "*:\\Program Files (x86)\\Code42\\CrashPlan\\Code42Service.exe", "*:\\Program Files (x86)\\Cyberfox\\cyberfox.exe", "*:\\Program Files (x86)\\Dropbox\\Client\\Dropbox.exe", "*:\\Program Files (x86)\\Mozilla Thunderbird\\thunderbird.exe", "*:\\Program Files (x86)\\Pale Moon\\palemoon.exe", "*:\\Program Files (x86)\\VMware\\VMware Horizon View Client\\vmware-view.exe", "*:\\Program Files (x86)\\Waterfox\\waterfox.exe", "*:\\Program Files\Mozilla Firefox\\firefox.exe", "*:\\Program Files\\Code42\\CrashPlan\\Code42Service.exe", "*:\\Program Files\\Cyberfox\cyberfox.exe", "*:\\Program Files\\Google\\Google Earth Pro\\client\\googleearth.exe", "*:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe", "*:\\Program Files\\Pale Moon\\palemoon.exe", "*:\\Program Files\\Waterfox\\waterfox.exe", "*\\AppData\\Local\\slack\\slack.exe", "*\\Tor Browser\\Browser\\firefox.exe") EventCode=7 ImageLoaded IN ("*\\mozglue.dll", "*\\nss3.dll")
Stage 2: fillnull
fillnull
Stage 3: stats
stats BY Image, ImageLoaded, dest, loaded_file, loaded_file_path, original_file_name, process_exec, process_guid, process_hash, process_id, process_name, process_path, service_dll_signature_exists, service_dll_signature_verified, signature, signature_id, user_id, vendor_product
Stage 4: search
search
Stage 5: search
search
Stage 6: search
search `macro`
Exclusions
Top-level NOT(...) conjuncts — predicates this rule actively suppresses.
| Stage | Field | Kind | Excluded values |
|---|---|---|---|
| 1 | process_name | in | "*:\\Program Files (x86)\Mozilla Firefox\\firefox.exe", "*:\\Program Files (x86)\\Code42\\CrashPlan\\Code42Service.exe", "*:\\Program Files (x86)\\Cyberfox\\cyberfox.exe", "*:\\Program Files (x86)\\Dropbox\\Client\\Dropbox.exe", "*:\\Program Files (x86)\\Mozilla Thunderbird\\thunderbird.exe", "*:\\Program Files (x86)\\Pale Moon\\palemoon.exe", "*:\\Program Files (x86)\\VMware\\VMware Horizon View Client\\vmware-view.exe", "*:\\Program Files (x86)\\Waterfox\\waterfox.exe", "*:\\Program Files\Mozilla Firefox\\firefox.exe", "*:\\Program Files\\Code42\\CrashPlan\\Code42Service.exe", "*:\\Program Files\\Cyberfox\cyberfox.exe", "*:\\Program Files\\Google\\Google Earth Pro\\client\\googleearth.exe", "*:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe", "*:\\Program Files\\Pale Moon\\palemoon.exe", "*:\\Program Files\\Waterfox\\waterfox.exe", "*\\AppData\\Local\\slack\\slack.exe", "*\\Tor Browser\\Browser\\firefox.exe" |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
ImageLoaded | in |
|
Neighbors
Broader alternatives (more inclusive than this rule)
These rules match a superset of what this rule catches. They cover the same events plus more. Use them if you want wider coverage and can absorb more false positives.
- Windows Remote Access Software BRC4 Loaded Dll (drops 2 filters this rule applies)