Remote Thread Creation Via PowerShell In Uncommon Target
Detects the creation of a remote thread from a Powershell process in an uncommon target process
Sigma rule (View on GitHub)
1title: Remote Thread Creation Via PowerShell In Uncommon Target
2id: 99b97608-3e21-4bfe-8217-2a127c396a0e
3related:
4 - id: eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50
5 type: similar
6status: test
7description: Detects the creation of a remote thread from a Powershell process in an uncommon target process
8references:
9 - https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html
10author: Florian Roth (Nextron Systems)
11date: 2018-06-25
12modified: 2023-11-10
13tags:
14 - attack.defense-evasion
15 - attack.execution
16 - attack.t1218.011
17 - attack.t1059.001
18logsource:
19 product: windows
20 category: create_remote_thread
21detection:
22 selection:
23 SourceImage|endswith:
24 - '\powershell.exe'
25 - '\pwsh.exe'
26 TargetImage|endswith:
27 # Note: Please add additional potential interesting targets to increase coverage
28 - '\rundll32.exe'
29 - '\regsvr32.exe'
30 condition: selection
31falsepositives:
32 - Unknown
33level: medium
References
-
While CLRGuard is effective at preventing the “execute-assembly” command, as well as other BYOL techniques, it is likely that blocking all use of the LoadImage function on a system would negatively...
Read More
Related rules
- HTML Help HH.EXE Suspicious Child Process
- Potential Bumblebee Remote Thread Creation
- Suspicious HH.EXE Execution
- Obfuscated PowerShell OneLiner Execution
- APT29 2018 Phishing Campaign CommandLine Indicators