Phoenix
Sigma IntelligenceBeta
Back to Rules
Threat Huntmediumtest

CreateRemoteThread API and LoadLibrary

Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Roberto Rodriguez (Cyb3rWard0g)Created Sun Aug 11Updated Mon Jan 22052ec6f6-1adc-41e6-907a-f1c813478beewindows
Hunting Hypothesis
Log Source
WindowsRemote Thread Creation
ProductWindows← raw: windows
CategoryRemote Thread Creation← raw: create_remote_thread
Detection Logic
Detection Logic1 selector
detection:
    selection:
        StartModule|endswith: '\kernel32.dll'
        StartFunction: 'LoadLibraryA'
    condition: selection
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
threathunterplaybook.com
MITRE ATT&CK

Other

detection.threat-hunting
Rule Metadata
Rule ID
052ec6f6-1adc-41e6-907a-f1c813478bee
Status
test
Level
medium
Type
Threat Hunt
Created
Sun Aug 11
Modified
Mon Jan 22
Author
Roberto Rodriguez (Cyb3rWard0g)
Path
rules-threat-hunting/windows/create_remote_thread/create_remote_thread_win_loadlibrary.yml
Raw Tags
attack.defense-evasionattack.privilege-escalationattack.t1055.001detection.threat-hunting
View on GitHub