Injected Browser Process Spawning Rundll32 - GuLoader Activity
Detects the execution of installed GuLoader malware on the host. GuLoader is initiating network connections via the rundll32.exe process that is spawned via a browser parent(injected) process.
Sigma rule (View on GitHub)
1title: Injected Browser Process Spawning Rundll32 - GuLoader Activity
2id: 89e1490f-1a3e-452a-bbb8-b68a5f58072f
3status: test
4description: |
5 Detects the execution of installed GuLoader malware on the host.
6 GuLoader is initiating network connections via the rundll32.exe process that is spawned via a browser parent(injected) process.
7references:
8 - Internal Research
9author: '@kostastsale'
10date: 2023-08-07
11tags:
12 - attack.privilege-escalation
13 - attack.defense-evasion
14 - attack.t1055
15 - detection.emerging-threats
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection:
21 ParentImage|endswith:
22 - '\chrome.exe'
23 - '\firefox.exe'
24 - '\msedge.exe'
25 Image|endswith: '\rundll32.exe'
26 CommandLine|endswith: '\rundll32.exe'
27 condition: selection
28falsepositives:
29 - Unlikely
30level: high
References
Related rules
- Lummac Stealer Activity - Execution Of More.com And Vbc.exe
- APT PRIVATELOG Image Load Pattern
- Malware Shellcode in Verclsid Target Process
- Potential Dridex Activity
- APT27 - Emissary Panda Activity