Remote Thread Creation By Uncommon Source Image
Detects uncommon processes creating remote threads.
Sigma rule (View on GitHub)
1title: Remote Thread Creation By Uncommon Source Image
2id: 66d31e5f-52d6-40a4-9615-002d3789a119
3related:
4 - id: 02d1d718-dd13-41af-989d-ea85c7fab93f
5 type: derived
6status: experimental
7description: Detects uncommon processes creating remote threads.
8references:
9 - Personal research, statistical analysis
10 - https://lolbas-project.github.io
11author: Perez Diego (@darkquassar), oscd.community
12date: 2019-10-27
13modified: 2024-07-15
14tags:
15 - attack.privilege-escalation
16 - attack.defense-evasion
17 - attack.t1055
18logsource:
19 product: windows
20 category: create_remote_thread
21detection:
22 selection:
23 SourceImage|endswith:
24 - '\explorer.exe'
25 - '\iexplore.exe'
26 - '\msiexec.exe'
27 - '\powerpnt.exe'
28 - '\schtasks.exe'
29 - '\winlogon.exe'
30 filter_main_winlogon_1:
31 SourceImage: 'C:\Windows\System32\winlogon.exe'
32 TargetImage:
33 - 'C:\Windows\System32\services.exe' # happens on Windows 7
34 - 'C:\Windows\System32\wininit.exe' # happens on Windows 7
35 - 'C:\Windows\System32\csrss.exe' # multiple OS
36 - 'C:\Windows\System32\LogonUI.exe' # multiple OS
37 filter_main_winlogon_2:
38 SourceImage: 'C:\Windows\System32\winlogon.exe'
39 TargetParentProcessId: 4
40 filter_main_schtasks_conhost:
41 SourceImage:
42 - 'C:\Windows\System32\schtasks.exe'
43 - 'C:\Windows\SysWOW64\schtasks.exe'
44 TargetImage: 'C:\Windows\System32\conhost.exe'
45 filter_main_explorer:
46 SourceImage: 'C:\Windows\explorer.exe'
47 TargetImage|startswith:
48 - 'C:\Program Files (x86)\'
49 - 'C:\Program Files\'
50 - 'C:\Windows\System32\'
51 - 'C:\Windows\SysWOW64\'
52 filter_main_system:
53 TargetImage: 'System'
54 filter_main_msiexec:
55 # Note: MSI installers will trigger this
56 SourceImage|endswith: '\msiexec.exe'
57 TargetImage|contains:
58 - '\AppData\Local\'
59 - 'C:\Program Files (x86)\'
60 - 'C:\Program Files\'
61 filter_optional_aurora_smartconsole1:
62 SourceImage: 'C:\Program Files\internet explorer\iexplore.exe'
63 SourceCommandLine|contains|all:
64 - 'https://'
65 - '.checkpoint.com/documents/'
66 - 'SmartConsole_OLH/'
67 - 'default.htm#cshid='
68 filter_optional_aurora_smartconsole2:
69 SourceImage: 'C:\Program Files\internet explorer\iexplore.exe'
70 SourceParentImage|startswith:
71 - 'C:\Program Files\'
72 - 'C:\Program Files (x86)\'
73 SourceParentImage|contains|all:
74 - '\CheckPoint\SmartConsole\'
75 - '\SmartConsole.exe'
76 filter_optional_powerpnt:
77 # Raised by the following issue: https://github.com/SigmaHQ/sigma/issues/2479
78 SourceImage|contains: '\Microsoft Office\'
79 SourceImage|endswith: '\POWERPNT.EXE'
80 TargetImage: 'C:\Windows\System32\csrss.exe'
81 filter_main_null:
82 TargetImage: null
83 filter_main_empty:
84 TargetImage: ''
85 condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
86falsepositives:
87 - This rule is best put in testing first in order to create a baseline that reflects the data in your environment.
88level: medium
References
Related rules
- APT PRIVATELOG Image Load Pattern
- CobaltStrike Named Pipe
- CobaltStrike Named Pipe Pattern Regex
- CobaltStrike Named Pipe Patterns
- Malicious Named Pipe Created