← Back to Explore
splunk_escuTTP
Rundll32 CreateRemoteThread In Browser
The following analytic detects the suspicious creation of a remote thread by rundll32.exe targeting browser processes such as firefox.exe, chrome.exe, iexplore.exe, and microsoftedgecp.exe. This detection leverages Sysmon EventCode 8, focusing on SourceImage and TargetImage fields to identify the behavior. This activity is significant as it is commonly associated with malware like IcedID, which hooks browsers to steal sensitive information such as banking details. If confirmed malicious, this could allow attackers to intercept and exfiltrate sensitive user data, leading to potential financial loss and privacy breaches.
Detection Query
`sysmon`
EventCode=8
SourceImage="*\\rundll32.exe"
TargetImage IN (
"*\\chrome.exe",
"*\\firefox.exe",
"*\\iexplore.exe",
"*\\microsoftedgecp.exe"
)
| stats count min(_time) as firstTime
max(_time) as lastTime
values(NewThreadId) as "NewThreadId"
values(StartAddress) as "StartAddress"
by dest signature_id signature
SourceProcessGuid SourceProcessId SourceImage
TargetProcessGuid TargetProcessId TargetImage
StartModule StartFunction
SourceUser TargetUser vendor_product
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `rundll32_createremotethread_in_browser_filter`Author
Teoderick Contreras, Splunk
Data Sources
Sysmon EventID 8
Raw Content
name: Rundll32 CreateRemoteThread In Browser
id: f8a22586-ee2d-11eb-a193-acde48001122
version: 11
creation_date: '2021-07-29'
modification_date: '2026-06-29'
author: Teoderick Contreras, Splunk
status: deprecated
type: TTP
description: |-
The following analytic detects the suspicious creation of a remote thread by rundll32.exe targeting browser processes such as firefox.exe, chrome.exe, iexplore.exe, and microsoftedgecp.exe.
This detection leverages Sysmon EventCode 8, focusing on SourceImage and TargetImage fields to identify the behavior.
This activity is significant as it is commonly associated with malware like IcedID, which hooks browsers to steal sensitive information such as banking details.
If confirmed malicious, this could allow attackers to intercept and exfiltrate sensitive user data, leading to potential financial loss and privacy breaches.
data_source:
- Sysmon EventID 8
search: |-
`sysmon`
EventCode=8
SourceImage="*\\rundll32.exe"
TargetImage IN (
"*\\chrome.exe",
"*\\firefox.exe",
"*\\iexplore.exe",
"*\\microsoftedgecp.exe"
)
| stats count min(_time) as firstTime
max(_time) as lastTime
values(NewThreadId) as "NewThreadId"
values(StartAddress) as "StartAddress"
by dest signature_id signature
SourceProcessGuid SourceProcessId SourceImage
TargetProcessGuid TargetProcessId TargetImage
StartModule StartFunction
SourceUser TargetUser vendor_product
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `rundll32_createremotethread_in_browser_filter`
how_to_implement: To successfully implement this search, you need to be ingesting logs with the SourceImage, TargetImage, and EventCode executions from your endpoints related to create remote thread or injecting codes. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.
known_false_positives: No false positives have been identified at this time.
references:
- https://www.joesandbox.com/analysis/380662/0/html
drilldown_searches:
- name: View the detection results for - "$dest$"
search: '%original_detection_search% | search dest = "$dest$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: 7d
latest_offset: "0"
finding:
title: rundl32 process $SourceImage$ create a remote thread to browser process $TargetImage$ in host $dest$
entity:
field: dest
type: system
score: 50
threat_objects:
- field: SourceImage
type: process
analytic_story:
- IcedID
- Living Off The Land
asset_type: Endpoint
mitre_attack_id:
- T1055
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
category: endpoint
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/inf_icedid/windows-sysmon.log
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: XmlWinEventLog
test_type: unit
deprecation_info:
reason: Detection has been deprecated. The search is being replaced with a more generic detection that captures the behavior instead of relying on specific source processes.
removed_in_version: 6.4.0
replacement_content:
- Windows Uncommon Remote Thread Creation In Browser Process