Emerging Threathightest

Potential Bumblebee Remote Thread Creation

Detects remote thread injection events based on action seen used by bumblebee

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Nasreddine Bencherchali (Nextron Systems)Created Tue Sep 27994cac2b-92c2-44bf-8853-14f6ca39fbda2022

Emerging Threat

Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source

WindowsRemote Thread Creation

ProductWindows← raw: windows

CategoryRemote Thread Creation← raw: create_remote_thread

Detection Logic

detection:
    selection:
        SourceImage|endswith:
            - '\wabmig.exe'
            - '\wab.exe'
            - '\ImagingDevices.exe'
        TargetImage|endswith: '\rundll32.exe'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

thedfirreport.com

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion TA0002 · Execution

Sub-techniques

T1218.011 · Rundll32 T1059.001 · PowerShell

Other

detection.emerging-threats

Rule Metadata

Rule ID

994cac2b-92c2-44bf-8853-14f6ca39fbda

Status

test

Level

high

Type

Emerging Threat

Created

Tue Sep 27

Author

Nasreddine Bencherchali (Nextron Systems)

Path

rules-emerging-threats/2022/Malware/Bumblebee/create_remote_thread_win_malware_bumblebee.yml

Raw Tags

attack.defense-evasionattack.executionattack.t1218.011attack.t1059.001detection.emerging-threats

View on GitHub