Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Remote Thread Creation By Uncommon Source Image

Detects uncommon processes creating remote threads.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Perez Diego, oscd.communityCreated Sun Oct 27Updated Tue Jul 0866d31e5f-52d6-40a4-9615-002d3789a119windows
Log Source
WindowsRemote Thread Creation
ProductWindows← raw: windows
CategoryRemote Thread Creation← raw: create_remote_thread
Detection Logic
Detection Logic18 selectors
detection:
    selection:
        SourceImage|endswith:
            - '\explorer.exe'
            - '\iexplore.exe'
            - '\msiexec.exe'
            - '\powerpnt.exe'
            - '\schtasks.exe'
            - '\winlogon.exe'
    filter_main_winlogon_1:
        SourceImage: 'C:\Windows\System32\winlogon.exe'
        TargetImage:
            - 'C:\Windows\System32\services.exe' # happens on Windows 7
            - 'C:\Windows\System32\wininit.exe' # happens on Windows 7
            - 'C:\Windows\System32\csrss.exe' # multiple OS
            - 'C:\Windows\System32\LogonUI.exe' # multiple OS
            - 'C:\Windows\System32\wlrmdr.exe'
            - 'C:\Windows\System32\AtBroker.exe'
            - 'C:\Windows\System32\dwm.exe'
            - 'C:\Windows\System32\fontdrvhost.exe'
            - 'C:\Windows\System32\userinit.exe'
    filter_main_winlogon_2:
        SourceImage: 'C:\Windows\System32\winlogon.exe'
        TargetParentProcessId: 4
    filter_main_schtasks_conhost:
        SourceImage:
            - 'C:\Windows\System32\schtasks.exe'
            - 'C:\Windows\SysWOW64\schtasks.exe'
        TargetImage: 'C:\Windows\System32\conhost.exe'
    filter_main_explorer:
        SourceImage: 'C:\Windows\explorer.exe'
        TargetImage|startswith:
            - 'C:\Program Files (x86)\'
            - 'C:\Program Files\'
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
    filter_main_system:
        TargetImage: 'System'
    filter_main_msiexec_1:
        # Note: MSI installers will trigger this
        SourceImage|endswith: '\msiexec.exe'
        TargetImage|contains:
            - '\AppData\Local\'
            - 'C:\Program Files (x86)\'
            - 'C:\Program Files\'
            - 'C:\Windows\Microsoft.NET\Framework64\' # C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    filter_main_msiexec_2:
        SourceImage|endswith: '\msiexec.exe'
        TargetImage:
            - 'C:\Windows\System32\msiexec.exe'
            - 'C:\Windows\SysWOW64\msiexec.exe'
    filter_main_iexplore:
        SourceImage: 'C:\Program Files\Internet Explorer\iexplore.exe'
        TargetImage:
            - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
            - 'C:\Windows\System32\rundll32.exe'
    filter_main_powerpnt:
        SourceImage|endswith: '\POWERPNT.EXE'
        TargetImage|contains:
            - 'C:\Program Files\Microsoft Office\' # C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exe
            - 'C:\Program Files (x86)\Microsoft Office\'
    filter_optional_aurora_smartconsole1:
        SourceImage: 'C:\Program Files\internet explorer\iexplore.exe'
        SourceCommandLine|contains|all:
            - 'https://'
            - '.checkpoint.com/documents/'
            - 'SmartConsole_OLH/'
            - 'default.htm#cshid='
    filter_optional_aurora_smartconsole2:
        SourceImage: 'C:\Program Files\internet explorer\iexplore.exe'
        SourceParentImage|startswith:
            - 'C:\Program Files\'
            - 'C:\Program Files (x86)\'
        SourceParentImage|contains|all:
            - '\CheckPoint\SmartConsole\'
            - '\SmartConsole.exe'
    filter_optional_powerpnt:
        # Raised by the following issue: https://github.com/SigmaHQ/sigma/issues/2479
        SourceImage|contains: '\Microsoft Office\'
        SourceImage|endswith: '\POWERPNT.EXE'
        TargetImage: 'C:\Windows\System32\csrss.exe'
    filter_main_null:
        TargetImage: null
    filter_main_empty:
        TargetImage: ''
    filter_optional_onedrive:
        SourceImage: 'C:\Windows\explorer.exe'
        TargetImage|endswith: '\AppData\Local\Microsoft\OneDrive\OneDrive.exe'
    filter_optional_aurora:
        SourceImage: 'C:\Windows\explorer.exe'
        TargetImage|endswith: '\aurora-dashboard.exe'
    filter_optional_officesetup:
        SourceImage: 'C:\Windows\explorer.exe'
        TargetImage|endswith: '\OfficeSetup.exe'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
False Positives

This rule is best put in testing first in order to create a baseline that reflects the data in your environment.

References
1
Resolving title…
Personal research, statistical analysis
2
Resolving title…
lolbas-project.github.io
MITRE ATT&CK
Related Rules
DerivedDetectionhigh

Rare Remote Thread Creation By Uncommon Source Image

Detects uncommon processes creating remote threads.

This rule was derived from the related rule - both detect similar activity with different scope.

Rule Metadata
Rule ID
66d31e5f-52d6-40a4-9615-002d3789a119
Status
test
Level
medium
Type
Detection
Created
Sun Oct 27
Modified
Tue Jul 08
Author
Perez Diego, oscd.community
Path
rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_source_image.yml
Raw Tags
attack.privilege-escalationattack.defense-evasionattack.t1055
View on GitHub