Query Details

Rule : Thunderbird rnpkeys.exe DLL Hijacking - StealC InfoStealer

Rnpkeys Dll Hijack

Query

DeviceProcessEvents
| where FileName contains "rnpkeys.exe"
| where ProcessVersionInfoProductName == "Thunderbird"

About this query

Explanation

This query is designed to detect suspicious activity related to the rnpkeys.exe process in the Thunderbird email client. Here's a simplified summary:

Purpose:

The query aims to identify and monitor the execution of rnpkeys.exe, a process in Thunderbird that handles cryptographic keys. This is important because malicious actors could exploit this process to load harmful DLLs, compromising secure communications.

Detection Logic:

  1. DeviceProcessEvents:

    • Looks for events where the file name is rnpkeys.exe and the product name is Thunderbird.
  2. DeviceImageLoadEvents:

    • Looks for events where rnpkeys.exe is the initiating process.

Why It Matters:

Monitoring rnpkeys.exe helps ensure that only legitimate operations are performed, providing an early warning for potential malicious activities like DLL hijacking.

Tags:

The query is associated with Thunderbird, cryptographic keys, email security, process monitoring, and the MITRE ATT&CK framework technique for DLL Search Order Hijacking (T1574.001).

Search Query:

The KQL (Kusto Query Language) snippets provided filter events to find instances where rnpkeys.exe is executed or initiates other processes, specifically within the Thunderbird application.

Details

Ali Hussein profile picture

Ali Hussein

Released: July 17, 2024

Tables

DeviceProcessEventsDeviceImageLoadEvents

Keywords

DevicesEmailSecurityProcessMonitoringSuspiciousActivity

Operators

contains==|where

MITRE Techniques

Actions

GitHub