Remote Thread Creation By Uncommon Source Image

Detects uncommon processes creating remote threads.

Sigma rule (View on GitHub)

  1title: Remote Thread Creation By Uncommon Source Image
  2id: 66d31e5f-52d6-40a4-9615-002d3789a119
  3related:
  4    - id: 02d1d718-dd13-41af-989d-ea85c7fab93f
  5      type: derived
  6status: test
  7description: Detects uncommon processes creating remote threads.
  8references:
  9    - Personal research, statistical analysis
 10    - https://lolbas-project.github.io
 11author: Perez Diego (@darkquassar), oscd.community
 12date: 2019-10-27
 13modified: 2025-07-08
 14tags:
 15    - attack.privilege-escalation
 16    - attack.defense-evasion
 17    - attack.t1055
 18logsource:
 19    product: windows
 20    category: create_remote_thread
 21detection:
 22    selection:
 23        SourceImage|endswith:
 24            - '\explorer.exe'
 25            - '\iexplore.exe'
 26            - '\msiexec.exe'
 27            - '\powerpnt.exe'
 28            - '\schtasks.exe'
 29            - '\winlogon.exe'
 30    filter_main_winlogon_1:
 31        SourceImage: 'C:\Windows\System32\winlogon.exe'
 32        TargetImage:
 33            - 'C:\Windows\System32\services.exe' # happens on Windows 7
 34            - 'C:\Windows\System32\wininit.exe' # happens on Windows 7
 35            - 'C:\Windows\System32\csrss.exe' # multiple OS
 36            - 'C:\Windows\System32\LogonUI.exe' # multiple OS
 37            - 'C:\Windows\System32\wlrmdr.exe'
 38            - 'C:\Windows\System32\AtBroker.exe'
 39            - 'C:\Windows\System32\dwm.exe'
 40            - 'C:\Windows\System32\fontdrvhost.exe'
 41            - 'C:\Windows\System32\userinit.exe'
 42    filter_main_winlogon_2:
 43        SourceImage: 'C:\Windows\System32\winlogon.exe'
 44        TargetParentProcessId: 4
 45    filter_main_schtasks_conhost:
 46        SourceImage:
 47            - 'C:\Windows\System32\schtasks.exe'
 48            - 'C:\Windows\SysWOW64\schtasks.exe'
 49        TargetImage: 'C:\Windows\System32\conhost.exe'
 50    filter_main_explorer:
 51        SourceImage: 'C:\Windows\explorer.exe'
 52        TargetImage|startswith:
 53            - 'C:\Program Files (x86)\'
 54            - 'C:\Program Files\'
 55            - 'C:\Windows\System32\'
 56            - 'C:\Windows\SysWOW64\'
 57    filter_main_system:
 58        TargetImage: 'System'
 59    filter_main_msiexec_1:
 60        # Note: MSI installers will trigger this
 61        SourceImage|endswith: '\msiexec.exe'
 62        TargetImage|contains:
 63            - '\AppData\Local\'
 64            - 'C:\Program Files (x86)\'
 65            - 'C:\Program Files\'
 66            - 'C:\Windows\Microsoft.NET\Framework64\' # C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
 67    filter_main_msiexec_2:
 68        SourceImage|endswith: '\msiexec.exe'
 69        TargetImage:
 70            - 'C:\Windows\System32\msiexec.exe'
 71            - 'C:\Windows\SysWOW64\msiexec.exe'
 72    filter_main_iexplore:
 73        SourceImage: 'C:\Program Files\Internet Explorer\iexplore.exe'
 74        TargetImage:
 75            - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
 76            - 'C:\Windows\System32\rundll32.exe'
 77    filter_main_powerpnt:
 78        SourceImage|endswith: '\POWERPNT.EXE'
 79        TargetImage|contains:
 80            - 'C:\Program Files\Microsoft Office\' # C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exe
 81            - 'C:\Program Files (x86)\Microsoft Office\'
 82    filter_optional_aurora_smartconsole1:
 83        SourceImage: 'C:\Program Files\internet explorer\iexplore.exe'
 84        SourceCommandLine|contains|all:
 85            - 'https://'
 86            - '.checkpoint.com/documents/'
 87            - 'SmartConsole_OLH/'
 88            - 'default.htm#cshid='
 89    filter_optional_aurora_smartconsole2:
 90        SourceImage: 'C:\Program Files\internet explorer\iexplore.exe'
 91        SourceParentImage|startswith:
 92            - 'C:\Program Files\'
 93            - 'C:\Program Files (x86)\'
 94        SourceParentImage|contains|all:
 95            - '\CheckPoint\SmartConsole\'
 96            - '\SmartConsole.exe'
 97    filter_optional_powerpnt:
 98        # Raised by the following issue: https://github.com/SigmaHQ/sigma/issues/2479
 99        SourceImage|contains: '\Microsoft Office\'
100        SourceImage|endswith: '\POWERPNT.EXE'
101        TargetImage: 'C:\Windows\System32\csrss.exe'
102    filter_main_null:
103        TargetImage: null
104    filter_main_empty:
105        TargetImage: ''
106    filter_optional_onedrive:
107        SourceImage: 'C:\Windows\explorer.exe'
108        TargetImage|endswith: '\AppData\Local\Microsoft\OneDrive\OneDrive.exe'
109    filter_optional_aurora:
110        SourceImage: 'C:\Windows\explorer.exe'
111        TargetImage|endswith: '\aurora-dashboard.exe'
112    filter_optional_officesetup:
113        SourceImage: 'C:\Windows\explorer.exe'
114        TargetImage|endswith: '\OfficeSetup.exe'
115    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
116falsepositives:
117    - This rule is best put in testing first in order to create a baseline that reflects the data in your environment.
118level: medium

References

Related rules

to-top