Remote Thread Creation In Mstsc.Exe From Suspicious Location
Detects remote thread creation in the "mstsc.exe" process by a process located in a potentially suspicious location. This technique is often used by attackers in order to hook some APIs used by DLLs loaded by "mstsc.exe" during RDP authentications in order to steal credentials.
Sigma rule (View on GitHub)
1title: Remote Thread Creation In Mstsc.Exe From Suspicious Location
2id: c0aac16a-b1e7-4330-bab0-3c27bb4987c7
3status: experimental
4description: |
5 Detects remote thread creation in the "mstsc.exe" process by a process located in a potentially suspicious location.
6 This technique is often used by attackers in order to hook some APIs used by DLLs loaded by "mstsc.exe" during RDP authentications in order to steal credentials.
7references:
8 - https://github.com/S12cybersecurity/RDPCredentialStealer/blob/1b8947cdd065a06c1b62e80967d3c7af895fcfed/APIHookInjectorBin/APIHookInjectorBin/Inject.h#L25
9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2023-07-28
11modified: 2024-01-22
12tags:
13 - attack.credential-access
14logsource:
15 product: windows
16 category: create_remote_thread
17detection:
18 selection:
19 TargetImage|endswith: '\mstsc.exe'
20 SourceImage|contains:
21 - ':\Temp\'
22 - ':\Users\Public\'
23 - ':\Windows\PerfLogs\'
24 - ':\Windows\Tasks\'
25 - ':\Windows\Temp\'
26 - '\AppData\Local\Temp\'
27 condition: selection
28falsepositives:
29 - Unknown
30level: high
References
-
RDPCredentialStealer it's a malware that steal credentials provided by users in RDP using API Hooking with Detours in C++ - S12cybersecurity/RDPCredentialStealer
Read More
Related rules
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- ADCS Certificate Template Configuration Vulnerability
- ADCS Certificate Template Configuration Vulnerability with Risky EKU
- APT31 Judgement Panda Activity