Remote Thread Creation In Mstsc.Exe From Suspicious Location
Detects remote thread creation in the "mstsc.exe" process by a process located in a potentially suspicious location. This technique is often used by attackers in order to hook some APIs used by DLLs loaded by "mstsc.exe" during RDP authentications in order to steal credentials.
Sigma rule (View on GitHub)
1title: Remote Thread Creation In Mstsc.Exe From Suspicious Location
2id: c0aac16a-b1e7-4330-bab0-3c27bb4987c7
3status: experimental
4description: |
5 Detects remote thread creation in the "mstsc.exe" process by a process located in a potentially suspicious location.
6 This technique is often used by attackers in order to hook some APIs used by DLLs loaded by "mstsc.exe" during RDP authentications in order to steal credentials.
7references:
8 - https://github.com/S12cybersecurity/RDPCredentialStealer/blob/1b8947cdd065a06c1b62e80967d3c7af895fcfed/APIHookInjectorBin/APIHookInjectorBin/Inject.h#L25
9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2023/07/28
11modified: 2024/01/22
12tags:
13 - attack.credential_access
14logsource:
15 product: windows
16 category: create_remote_thread
17detection:
18 selection:
19 TargetImage|endswith: '\mstsc.exe'
20 SourceImage|contains:
21 - ':\Temp\'
22 - ':\Users\Public\'
23 - ':\Windows\PerfLogs\'
24 - ':\Windows\Tasks\'
25 - ':\Windows\Temp\'
26 - '\AppData\Local\Temp\'
27 condition: selection
28falsepositives:
29 - Unknown
30level: high
References
-
RDPCredentialStealer it's a malware that steal credentials provided by users in RDP using API Hooking with Detours in C++ - S12cybersecurity/RDPCredentialStealer
Read More
Related rules
- Password Dumper Remote Thread in LSASS
- Powershell Install a DLL in System Directory
- Hacktool Execution - PE Metadata
- Potentially Suspicious EventLog Recon Activity Using Log Query Utilities
- HackTool - CrackMapExec Process Patterns