Remote Thread Created In Shell Application

calendar Aug 12, 2024 · attack.defense-evasion attack.t1055  ·
Share on: linkedin copy

Detects remote thread creation in command shell applications, such as "Cmd.EXE" and "PowerShell.EXE". It is a common technique used by malware, such as IcedID, to inject malicious code and execute it within legitimate processes.

Sigma rule (View on GitHub)

 1title: Remote Thread Created In Shell Application
 2id: a9d4d3fa-8fc0-41bc-80b1-30b9fda79d6f
 3status: experimental
 4description: |
 5    Detects remote thread creation in command shell applications, such as "Cmd.EXE" and "PowerShell.EXE".
 6    It is a common technique used by malware, such as IcedID, to inject malicious code and execute it within legitimate processes.    
 7references:
 8    - https://research.splunk.com/endpoint/10399c1e-f51e-11eb-b920-acde48001122/
 9    - https://www.binarydefense.com/resources/blog/icedid-gziploader-analysis/
10author: Splunk Research Team
11date: 2024-07-29
12tags:
13    - attack.defense-evasion
14    - attack.t1055
15logsource:
16    product: windows
17    category: create_remote_thread
18detection:
19    selection:
20        TargetImage|endswith:
21            - '\cmd.exe'
22            - '\powershell.exe'
23            - '\pwsh.exe'
24    condition: selection
25falsepositives:
26    - Unknown
27level: medium

References

  • Detection: Create Remote Thread In Shell Application

    Updated Date: 2024-05-21 ID: 10399c1e-f51e-11eb-b920-acde48001122 Author: Teoderick Contreras, Splunk Type: TTP Product: Splunk Enterprise Security Description The following analytic detects suspicious process injection in command shell applications, specifically targeting cmd.exe and powershell.exe. It leverages Sysmon EventCode 8 to identify the creation of remote threads within these shell processes. This activity is significant because it is a common technique used by malware, such as IcedID, to inject malicious code and execute it within legitimate processes.


    Read More

  • IcedID GZIPLOADER Analysis | Binary Defense

    In late February, while tracking a malicious spam campaign from the Qakbot distributor “TR,” Binary Defense’s analysts identified a new version of IcedID being delivered through malicious Word and Excel files. The updated IcedID has a new first stage loading mechanism, which we’ve dubbed “gziploader,” along with new encryption algorithms for hiding its configuration and […]


    Read More

Related rules

to-top