Rule : Thunderbird rnpkeys.exe DLL Hijacking - StealC InfoStealer
Rnpkeys Dll Hijack
Query
DeviceProcessEvents
| where FileName contains "rnpkeys.exe"
| where ProcessVersionInfoProductName == "Thunderbird"About this query
Explanation
This query is designed to detect suspicious activity related to the rnpkeys.exe process in the Thunderbird email client. Here's a simplified summary:
Purpose:
The query aims to identify and monitor the execution of rnpkeys.exe, a process in Thunderbird that handles cryptographic keys. This is important because malicious actors could exploit this process to load harmful DLLs, compromising secure communications.
Detection Logic:
-
DeviceProcessEvents:
- Looks for events where the file name is
rnpkeys.exeand the product name is Thunderbird.
- Looks for events where the file name is
-
DeviceImageLoadEvents:
- Looks for events where
rnpkeys.exeis the initiating process.
- Looks for events where
Why It Matters:
Monitoring rnpkeys.exe helps ensure that only legitimate operations are performed, providing an early warning for potential malicious activities like DLL hijacking.
Tags:
The query is associated with Thunderbird, cryptographic keys, email security, process monitoring, and the MITRE ATT&CK framework technique for DLL Search Order Hijacking (T1574.001).
Search Query:
The KQL (Kusto Query Language) snippets provided filter events to find instances where rnpkeys.exe is executed or initiates other processes, specifically within the Thunderbird application.
