This detection rule identifies suspicious remote thread injection activities where the Windows Error Reporting Manager (wermgr.exe) attempts to inject code into known web browser processes such as firefox.exe, chrome.exe, iexplore.exe, and microsoftedgecp.exe. The rule utilizes Sysmon EventCode 8 to monitor both the SourceImage and TargetImage fields to detect this type of behavior. Such an operation is often indicative of malicious activities linked to Qakbot malware, which is known for executing remote code within legitimate processes to compromise system integrity, potentially allowing attackers to escalate privileges and exfiltrate sensitive information from the system. The defined search parameters capture the occurrence of remote thread creation by wermgr.exe, thus facilitating the early identification of potential intrusions that could pose significant risks to the protected host.