HackTool - CACTUSTORCH Remote Thread Creation
Detects remote thread creation from CACTUSTORCH as described in references.
Sigma rule (View on GitHub)
1title: HackTool - CACTUSTORCH Remote Thread Creation
2id: 2e4e488a-6164-4811-9ea1-f960c7359c40
3status: test
4description: Detects remote thread creation from CACTUSTORCH as described in references.
5references:
6 - https://twitter.com/SBousseaden/status/1090588499517079552 # Deleted
7 - https://github.com/mdsecactivebreach/CACTUSTORCH
8author: '@SBousseaden (detection), Thomas Patzke (rule)'
9date: 2019-02-01
10modified: 2023-05-05
11tags:
12 - attack.defense-evasion
13 - attack.execution
14 - attack.t1055.012
15 - attack.t1059.005
16 - attack.t1059.007
17 - attack.t1218.005
18logsource:
19 product: windows
20 category: create_remote_thread
21detection:
22 selection:
23 SourceImage|endswith:
24 - '\System32\cscript.exe'
25 - '\System32\wscript.exe'
26 - '\System32\mshta.exe'
27 - '\winword.exe'
28 - '\excel.exe'
29 TargetImage|contains: '\SysWOW64\'
30 StartModule: null
31 condition: selection
32falsepositives:
33 - Unknown
34level: high
References
Related rules
- Csc.EXE Execution Form Potentially Suspicious Parent
- HTML Help HH.EXE Suspicious Child Process
- MSHTA Suspicious Execution 01
- Potential SquiblyTwo Technique Execution
- Suspicious HH.EXE Execution