Remote Thread Creation Via PowerShell In Uncommon Target
Detects the creation of a remote thread from a Powershell process in an uncommon target process
Sigma rule (View on GitHub)
1title: Remote Thread Creation Via PowerShell In Uncommon Target
2id: 99b97608-3e21-4bfe-8217-2a127c396a0e
3related:
4 - id: eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50
5 type: similar
6status: experimental
7description: Detects the creation of a remote thread from a Powershell process in an uncommon target process
8references:
9 - https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html
10author: Florian Roth (Nextron Systems)
11date: 2018/06/25
12modified: 2023/11/10
13tags:
14 - attack.defense_evasion
15 - attack.execution
16 - attack.t1218.011
17 - attack.t1059.001
18logsource:
19 product: windows
20 category: create_remote_thread
21detection:
22 selection:
23 SourceImage|endswith:
24 - '\powershell.exe'
25 - '\pwsh.exe'
26 TargetImage|endswith:
27 # Note: Please add additional potential interesting targets to increase coverage
28 - '\rundll32.exe'
29 - '\regsvr32.exe'
30 condition: selection
31falsepositives:
32 - Unknown
33level: medium
References
-
Introduction One of most significant recent developments in sophisticated offensive operations is the use of “Living off the Land” (LotL) techniques by attackers. These techniques leverage legitima...
Read More
Related rules
- Potential Bumblebee Remote Thread Creation
- HTML Help HH.EXE Suspicious Child Process
- Suspicious HH.EXE Execution
- Invoke-Obfuscation CLIP+ Launcher - System
- Shell32 DLL Execution in Suspicious Directory