Injected Browser Process Spawning Rundll32 - GuLoader Activity
Detects the execution of installed GuLoader malware on the host. GuLoader is initiating network connections via the rundll32.exe process that is spawned via a browser parent(injected) process.
Sigma rule (View on GitHub)
1title: Injected Browser Process Spawning Rundll32 - GuLoader Activity
2id: 89e1490f-1a3e-452a-bbb8-b68a5f58072f
3status: test
4description: |
5 Detects the execution of installed GuLoader malware on the host.
6 GuLoader is initiating network connections via the rundll32.exe process that is spawned via a browser parent(injected) process.
7references:
8 - Internal Research
9author: '@kostastsale'
10date: 2023-08-07
11tags:
12 - attack.defense-evasion
13 - attack.t1055
14 - detection.emerging-threats
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection:
20 ParentImage|endswith:
21 - '\chrome.exe'
22 - '\firefox.exe'
23 - '\msedge.exe'
24 Image|endswith: '\rundll32.exe'
25 CommandLine|endswith: '\rundll32.exe'
26 condition: selection
27falsepositives:
28 - Unlikely
29level: high
References
Related rules
- APT PRIVATELOG Image Load Pattern
- Malware Shellcode in Verclsid Target Process
- Potential Dridex Activity
- Diamond Sleet APT DLL Sideloading Indicators
- Diamond Sleet APT Scheduled Task Creation - Registry