Remote Thread Creation In Mstsc.Exe From Suspicious Location
Detects remote thread creation in the "mstsc.exe" process by a process located in a potentially suspicious location. This technique is often used by attackers in order to hook some APIs used by DLLs loaded by "mstsc.exe" during RDP authentications in order to steal credentials.
Sigma rule (View on GitHub)
1title: Remote Thread Creation In Mstsc.Exe From Suspicious Location
2id: c0aac16a-b1e7-4330-bab0-3c27bb4987c7
3status: test
4description: |
5 Detects remote thread creation in the "mstsc.exe" process by a process located in a potentially suspicious location.
6 This technique is often used by attackers in order to hook some APIs used by DLLs loaded by "mstsc.exe" during RDP authentications in order to steal credentials.
7references:
8 - https://github.com/S12cybersecurity/RDPCredentialStealer/blob/1b8947cdd065a06c1b62e80967d3c7af895fcfed/APIHookInjectorBin/APIHookInjectorBin/Inject.h#L25
9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2023-07-28
11modified: 2024-01-22
12tags:
13 - attack.credential-access
14logsource:
15 product: windows
16 category: create_remote_thread
17detection:
18 selection:
19 TargetImage|endswith: '\mstsc.exe'
20 SourceImage|contains:
21 - ':\Temp\'
22 - ':\Users\Public\'
23 - ':\Windows\PerfLogs\'
24 - ':\Windows\Tasks\'
25 - ':\Windows\Temp\'
26 - '\AppData\Local\Temp\'
27 condition: selection
28falsepositives:
29 - Unknown
30level: high
References
Related rules
- GALLIUM IOCs
- HackTool - CreateMiniDump Execution
- HackTool - HandleKatz LSASS Dumper Execution
- HackTool - Windows Credential Editor (WCE) Execution
- Hacktool Execution - Imphash