Detectionhightest
Rare Remote Thread Creation By Uncommon Source Image
Detects uncommon processes creating remote threads.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Perez Diego, oscd.communityCreated Sun Oct 27Updated Mon Dec 0802d1d718-dd13-41af-989d-ea85c7fab93fwindows
Log Source
WindowsRemote Thread Creation
ProductWindows← raw: windows
CategoryRemote Thread Creation← raw: create_remote_thread
Detection Logic
Detection Logic8 selectors
detection:
selection:
SourceImage|endswith:
- '\bash.exe'
- '\cscript.exe'
- '\cvtres.exe'
- '\defrag.exe'
- '\dialer.exe'
- '\dnx.exe'
- '\esentutl.exe'
- '\excel.exe'
- '\expand.exe'
- '\find.exe'
- '\findstr.exe'
- '\forfiles.exe'
- '\gpupdate.exe'
- '\hh.exe'
- '\installutil.exe'
- '\lync.exe'
- '\makecab.exe'
- '\mDNSResponder.exe'
- '\monitoringhost.exe' # Loads .NET CLR by default and thus a favorite for process injection for .NET in-memory offensive tools.
- '\msbuild.exe'
- '\mshta.exe'
- '\mspaint.exe'
- '\outlook.exe'
- '\ping.exe'
- '\provtool.exe'
- '\python.exe'
- '\regsvr32.exe'
- '\robocopy.exe'
- '\runonce.exe'
- '\sapcimc.exe'
- '\smartscreen.exe'
- '\spoolsv.exe'
- '\tstheme.exe'
- '\userinit.exe'
- '\vssadmin.exe'
- '\vssvc.exe'
- '\w3wp.exe'
- '\winscp.exe'
- '\winword.exe'
- '\wmic.exe'
- '\wscript.exe'
filter_main_conhost:
SourceImage:
- 'C:\Windows\System32\Defrag.exe'
- 'C:\Windows\System32\makecab.exe'
TargetImage: 'C:\Windows\System32\conhost.exe'
filter_main_provtol_svchost:
SourceImage: 'C:\Windows\System32\provtool.exe'
TargetImage: 'C:\Windows\System32\svchost.exe'
filter_main_provtool_system:
SourceImage: 'C:\Windows\System32\provtool.exe'
TargetImage: 'System'
filter_main_userinit:
SourceImage: 'C:\Windows\System32\userinit.exe'
TargetImage: 'C:\Windows\explorer.exe'
filter_main_winword:
SourceImage|endswith: '\WINWORD.EXE'
TargetImage|startswith:
- 'C:\Program Files (x86)\' # C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
- 'C:\Program Files\' # C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exe
filter_main_ms_office:
# Raised by following issue: https://github.com/SigmaHQ/sigma/issues/5529
SourceImage|startswith:
- 'C:\Program Files\Microsoft Office\'
- 'C:\Program Files (x86)\Microsoft Office\'
TargetImage: 'System'
filter_optional_explorer_vmtools:
SourceImage|endswith: '\SysWOW64\explorer.exe'
TargetImage:
- 'C:\Program Files (x86)\VMware\VMware Tools\vmtoolsd.exe'
- 'C:\Program Files\VMware\VMware Tools\vmtoolsd.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*False Positives
This rule is best put in testing first in order to create a baseline that reflects the data in your environment.
References
1
2Resolving title…
Personal research, statistical analysisResolving title…
lolbas-project.github.ioMITRE ATT&CK
Rule Metadata
Rule ID
02d1d718-dd13-41af-989d-ea85c7fab93f
Status
test
Level
high
Type
Detection
Created
Sun Oct 27
Modified
Mon Dec 08
Author
Path
rules/windows/create_remote_thread/create_remote_thread_win_susp_relevant_source_image.yml
Raw Tags
attack.privilege-escalationattack.defense-evasionattack.t1055