
Summary
Detects remote-thread creation from non-browser executables into browser processes using Sysmon EventID 8. The rule flags scenarios where a parent process (e.g., wermgr.exe or rundll32.exe) creates a thread inside a browser process (Chrome, Firefox, and many others). This behavior is anomalous for browsers and is commonly used by malware families such as Qakbot and IcedID to inject code, potentially enabling arbitrary code execution, privilege escalation, and data exfiltration. The detection relies on SourceImage and TargetImage fields to identify cross-process injection activity and provides a time-bounded, per-destination view of occurrences. The rule collects: firstTime, lastTime, NewThreadId, StartAddress by destination, signature, and related process identifiers. It is designed to be used with log sources that provide SourceImage, TargetImage, and EventCode (Sysmon CreateRemoteThread) data, and presumes Sysmon logs (preferably TA version 6.0.4 or newer) are in use. The rule maps to MITRE ATT&CK technique T1055.001 (Process Injection) and is intended for endpoint detections in Splunk Enterprise/Security deployments. Annotations include references to Qakbot and IcedID analyses and a list of validated true-positive tests (Wermgr and Rundll32 scenarios). The approach emphasizes correlation between unusual remote thread creation and browser process targets to surface potential malware activity that leverages legitimate processes to access sensitive information.
Categories
- Endpoint
Data Sources
- Image
ATT&CK Techniques
- T1055.001
Created: 2026-07-06