Threat Huntmediumtest
Remote Thread Created In Shell Application
Detects remote thread creation in command shell applications, such as "Cmd.EXE" and "PowerShell.EXE". It is a common technique used by malware, such as IcedID, to inject malicious code and execute it within legitimate processes.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Hunting Hypothesis
Log Source
WindowsRemote Thread Creation
ProductWindows← raw: windows
CategoryRemote Thread Creation← raw: create_remote_thread
Detection Logic
Detection Logic3 selectors
detection:
selection:
TargetImage|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
filter_main_system:
SourceImage|startswith:
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
- 'C:\Program Files (x86)\'
- 'C:\Program Files\'
filter_optional_defender:
SourceImage|endswith: '\MsMpEng.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*False Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
MITRE ATT&CK
Techniques
Other
detection.threat-hunting
Rule Metadata
Rule ID
a9d4d3fa-8fc0-41bc-80b1-30b9fda79d6f
Status
test
Level
medium
Type
Threat Hunt
Created
Mon Jul 29
Modified
Fri Jul 04
Author
Path
rules-threat-hunting/windows/create_remote_thread/create_remote_thread_win_susp_target_shell_application.yml
Raw Tags
attack.defense-evasionattack.privilege-escalationattack.t1055detection.threat-hunting