Name:Rundll32 Create Remote Thread To A Process id:2dbeee3a-f067-11eb-96c0-acde48001122 version:3 date:2024-09-30 author:Teoderick Contreras, Splunk status:production type:TTP Description:The following analytic detects the creation of a remote thread by rundll32.exe into another process. It leverages Sysmon EventCode 8 logs, specifically monitoring SourceImage and TargetImage fields. This activity is significant as it is a common technique used by malware, such as IcedID, to execute malicious code within legitimate processes, aiding in defense evasion and data theft. If confirmed malicious, this behavior could allow an attacker to execute arbitrary code, escalate privileges, and exfiltrate sensitive information from the compromised host. Data_source:
-Sysmon EventID 8
search:`sysmon` EventCode=8 SourceImage = "*\\rundll32.exe" TargetImage = "*.exe" | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage TargetProcessId SourceProcessId StartAddress EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll32_create_remote_thread_to_a_process_filter`
how_to_implement:To successfully implement this search, you need to be ingesting logs with the SourceImage, TargetImage, and EventCode executions from your endpoints related to create remote thread or injecting codes. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. known_false_positives:unknown References: -https://www.joesandbox.com/analysis/380662/0/html drilldown_searches: name:'View the detection results for - "$dest$"' search:'%original_detection_search% | search dest = "$dest$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$dest$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'IcedID' - 'Living Off The Land' asset_type:Endpoint confidence:80 impact:70 message:rundl32 process $SourceImage$ create a remote thread to process $TargetImage$ in host $dest$ mitre_attack_id: - 'T1055' observable: name:'dest' type:'Hostname' - role: - 'Victim' name:'SourceImage' type:'Process' - role: - 'Attacker' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'SourceImage' - 'TargetImage' - 'TargetProcessId' - 'SourceProcessId' - 'StartAddress' - 'EventCode' - 'dest' risk_score:56 security_domain:endpoint
