Remote Thread Creation By Uncommon Source Image

calendar Aug 12, 2024 · attack.privilege-escalation attack.defense-evasion attack.t1055  ·
Share on: linkedin copy

Detects uncommon processes creating remote threads.

Sigma rule (View on GitHub)

 1title: Remote Thread Creation By Uncommon Source Image
 2id: 66d31e5f-52d6-40a4-9615-002d3789a119
 3related:
 4    - id: 02d1d718-dd13-41af-989d-ea85c7fab93f
 5      type: derived
 6status: experimental
 7description: Detects uncommon processes creating remote threads.
 8references:
 9    - Personal research, statistical analysis
10    - https://lolbas-project.github.io
11author: Perez Diego (@darkquassar), oscd.community
12date: 2019-10-27
13modified: 2024-07-15
14tags:
15    - attack.privilege-escalation
16    - attack.defense-evasion
17    - attack.t1055
18logsource:
19    product: windows
20    category: create_remote_thread
21detection:
22    selection:
23        SourceImage|endswith:
24            - '\explorer.exe'
25            - '\iexplore.exe'
26            - '\msiexec.exe'
27            - '\powerpnt.exe'
28            - '\schtasks.exe'
29            - '\winlogon.exe'
30    filter_main_winlogon_1:
31        SourceImage: 'C:\Windows\System32\winlogon.exe'
32        TargetImage:
33            - 'C:\Windows\System32\services.exe' # happens on Windows 7
34            - 'C:\Windows\System32\wininit.exe' # happens on Windows 7
35            - 'C:\Windows\System32\csrss.exe' # multiple OS
36            - 'C:\Windows\System32\LogonUI.exe' # multiple OS
37    filter_main_winlogon_2:
38        SourceImage: 'C:\Windows\System32\winlogon.exe'
39        TargetParentProcessId: 4
40    filter_main_schtasks_conhost:
41        SourceImage:
42            - 'C:\Windows\System32\schtasks.exe'
43            - 'C:\Windows\SysWOW64\schtasks.exe'
44        TargetImage: 'C:\Windows\System32\conhost.exe'
45    filter_main_explorer:
46        SourceImage: 'C:\Windows\explorer.exe'
47        TargetImage|startswith:
48            - 'C:\Program Files (x86)\'
49            - 'C:\Program Files\'
50            - 'C:\Windows\System32\'
51            - 'C:\Windows\SysWOW64\'
52    filter_main_system:
53        TargetImage: 'System'
54    filter_main_msiexec:
55        # Note: MSI installers will trigger this
56        SourceImage|endswith: '\msiexec.exe'
57        TargetImage|contains:
58            - '\AppData\Local\'
59            - 'C:\Program Files (x86)\'
60            - 'C:\Program Files\'
61    filter_optional_aurora_smartconsole1:
62        SourceImage: 'C:\Program Files\internet explorer\iexplore.exe'
63        SourceCommandLine|contains|all:
64            - 'https://'
65            - '.checkpoint.com/documents/'
66            - 'SmartConsole_OLH/'
67            - 'default.htm#cshid='
68    filter_optional_aurora_smartconsole2:
69        SourceImage: 'C:\Program Files\internet explorer\iexplore.exe'
70        SourceParentImage|startswith:
71            - 'C:\Program Files\'
72            - 'C:\Program Files (x86)\'
73        SourceParentImage|contains|all:
74            - '\CheckPoint\SmartConsole\'
75            - '\SmartConsole.exe'
76    filter_optional_powerpnt:
77        # Raised by the following issue: https://github.com/SigmaHQ/sigma/issues/2479
78        SourceImage|contains: '\Microsoft Office\'
79        SourceImage|endswith: '\POWERPNT.EXE'
80        TargetImage: 'C:\Windows\System32\csrss.exe'
81    filter_main_null:
82        TargetImage: null
83    filter_main_empty:
84        TargetImage: ''
85    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
86falsepositives:
87    - This rule is best put in testing first in order to create a baseline that reflects the data in your environment.
88level: medium

References

Related rules

to-top