Remote Thread Creation In Mstsc.Exe From Suspicious Location

Detects remote thread creation in the "mstsc.exe" process by a process located in a potentially suspicious location. This technique is often used by attackers in order to hook some APIs used by DLLs loaded by "mstsc.exe" during RDP authentications in order to steal credentials.

Sigma rule (View on GitHub)

 1title: Remote Thread Creation In Mstsc.Exe From Suspicious Location
 2id: c0aac16a-b1e7-4330-bab0-3c27bb4987c7
 3status: test
 4description: |
 5    Detects remote thread creation in the "mstsc.exe" process by a process located in a potentially suspicious location.
 6    This technique is often used by attackers in order to hook some APIs used by DLLs loaded by "mstsc.exe" during RDP authentications in order to steal credentials.    
 7references:
 8    - https://github.com/S12cybersecurity/RDPCredentialStealer/blob/1b8947cdd065a06c1b62e80967d3c7af895fcfed/APIHookInjectorBin/APIHookInjectorBin/Inject.h#L25
 9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2023-07-28
11modified: 2024-01-22
12tags:
13    - attack.credential-access
14logsource:
15    product: windows
16    category: create_remote_thread
17detection:
18    selection:
19        TargetImage|endswith: '\mstsc.exe'
20        SourceImage|contains:
21            - ':\Temp\'
22            - ':\Users\Public\'
23            - ':\Windows\PerfLogs\'
24            - ':\Windows\Tasks\'
25            - ':\Windows\Temp\'
26            - '\AppData\Local\Temp\'
27    condition: selection
28falsepositives:
29    - Unknown
30level: high

References

Related rules

to-top