Detects remote thread creation in the "mstsc.exe" process by a process located in a potentially suspicious location. This technique is often used by attackers in order to hook some APIs used by DLLs loaded by "mstsc.exe" during RDP authentications in order to steal credentials.

WindowsRemote Thread Creation

TA0006 · Credential Access

Nasreddine Bencherchali (Nextron Systems)Fri Jul 28windows

Detectionhightest

Potential Credential Dumping Attempt Via PowerShell Remote Thread

Detects remote thread creation by PowerShell processes into "lsass.exe"

WindowsRemote Thread Creation

TA0006 · Credential AccessT1003.001 · LSASS Memory

oscd.community+1Tue Oct 06windows

Detectionmediumtest

Remote Thread Creation Via PowerShell In Uncommon Target

Detects the creation of a remote thread from a Powershell process in an uncommon target process

WindowsRemote Thread Creation

TA0005 · Defense EvasionTA0002 · ExecutionT1218.011 · Rundll32T1059.001 · PowerShell

Florian Roth (Nextron Systems)Mon Jun 25windows

Detectionhighstable

Password Dumper Remote Thread in LSASS

Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events.

WindowsRemote Thread Creation

TA0006 · Credential AccessS0005 · S0005T1003.001 · LSASS Memory

Thomas PatzkeSun Feb 19windows

Detectionhightest

Rare Remote Thread Creation By Uncommon Source Image

Detects uncommon processes creating remote threads.

WindowsRemote Thread Creation

TA0004 · Privilege EscalationTA0005 · Defense EvasionT1055 · Process Injection

Perez Diego+1Sun Oct 27windows

Detectionmediumtest

Remote Thread Creation By Uncommon Source Image

Detects uncommon processes creating remote threads.

WindowsRemote Thread Creation

TA0004 · Privilege EscalationTA0005 · Defense EvasionT1055 · Process Injection

Perez Diego+1Sun Oct 27windows

Detectionmediumtest

Remote Thread Creation In Uncommon Target Image

Detects uncommon target processes for remote thread creation

WindowsRemote Thread Creation

TA0005 · Defense EvasionTA0004 · Privilege EscalationT1055.003 · Thread Execution Hijacking

Florian Roth (Nextron Systems)Wed Mar 16windows

Detectionhightest

Remote Thread Creation Ttdinject.exe Proxy

Detects a remote thread creation of Ttdinject.exe used as proxy

WindowsRemote Thread Creation

TA0005 · Defense EvasionT1127 · Trusted Developer Utilities Proxy Execution

François HubautMon May 16windows

Emerging Threathightest

Potential Bumblebee Remote Thread Creation

Detects remote thread injection events based on action seen used by bumblebee

WindowsRemote Thread Creation

TA0005 · Defense EvasionTA0002 · ExecutionT1218.011 · Rundll32T1059.001 · PowerShell+1

Nasreddine Bencherchali (Nextron Systems)Tue Sep 272022

Threat Huntmediumtest

CreateRemoteThread API and LoadLibrary

Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process

WindowsRemote Thread Creation

TA0005 · Defense EvasionTA0004 · Privilege EscalationT1055.001 · Dynamic-link Library Injectiondetection.threat-hunting

Roberto Rodriguez (Cyb3rWard0g)Sun Aug 11windows

Threat Huntmediumtest

Remote Thread Creation Via PowerShell

Detects the creation of a remote thread from a Powershell process to another process

WindowsRemote Thread Creation

TA0002 · ExecutionT1059.001 · PowerShelldetection.threat-hunting

Nikita Nazarov+1Tue Oct 06windows

Threat Huntmediumtest

Remote Thread Created In Shell Application

Detects remote thread creation in command shell applications, such as "Cmd.EXE" and "PowerShell.EXE". It is a common technique used by malware, such as IcedID, to inject malicious code and execute it within legitimate processes.

WindowsRemote Thread Creation

TA0005 · Defense EvasionTA0004 · Privilege EscalationT1055 · Process Injectiondetection.threat-hunting

Splunk Research TeamMon Jul 29windows