HackTool - CACTUSTORCH Remote Thread Creation

 1title: HackTool - CACTUSTORCH Remote Thread Creation
 2id: 2e4e488a-6164-4811-9ea1-f960c7359c40
 3status: test
 4description: Detects remote thread creation from CACTUSTORCH as described in references.
 5references:
 6    - https://twitter.com/SBousseaden/status/1090588499517079552 # Deleted
 7    - https://github.com/mdsecactivebreach/CACTUSTORCH
 8author: '@SBousseaden (detection), Thomas Patzke (rule)'
 9date: 2019-02-01
10modified: 2023-05-05
11tags:
12    - attack.privilege-escalation
13    - attack.defense-evasion
14    - attack.execution
15    - attack.t1055.012
16    - attack.t1059.005
17    - attack.t1059.007
18    - attack.t1218.005
19logsource:
20    product: windows
21    category: create_remote_thread
22detection:
23    selection:
24        SourceImage|endswith:
25            - '\System32\cscript.exe'
26            - '\System32\wscript.exe'
27            - '\System32\mshta.exe'
28            - '\winword.exe'
29            - '\excel.exe'
30        TargetImage|contains: '\SysWOW64\'
31        StartModule: null
32    condition: selection
33falsepositives:
34    - Unknown
35level: high

References

• 

  Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.

  
  Read More

• GitHub - mdsecactivebreach/CACTUSTORCH: CACTUSTORCH: Payload Generation for Adversary Simulations

  

  CACTUSTORCH: Payload Generation for Adversary Simulations - mdsecactivebreach/CACTUSTORCH

  
  Read More

Related rules

• Csc.EXE Execution Form Potentially Suspicious Parent
• MSHTA Execution with Suspicious File Extensions
• Potential SquiblyTwo Technique Execution
• HTML Help HH.EXE Suspicious Child Process
• Suspicious HH.EXE Execution