Remote Thread Creation By Uncommon Source Image

Jul 8, 2025 · attack.privilege-escalation attack.defense-evasion attack.t1055 ·

Detects uncommon processes creating remote threads.

Sigma rule (View on GitHub)

  1title: Remote Thread Creation By Uncommon Source Image
  2id: 66d31e5f-52d6-40a4-9615-002d3789a119
  3related:
  4    - id: 02d1d718-dd13-41af-989d-ea85c7fab93f
  5      type: derived
  6status: test
  7description: Detects uncommon processes creating remote threads.
  8references:
  9    - Personal research, statistical analysis
 10    - https://lolbas-project.github.io
 11author: Perez Diego (@darkquassar), oscd.community
 12date: 2019-10-27
 13modified: 2025-07-08
 14tags:
 15    - attack.privilege-escalation
 16    - attack.defense-evasion
 17    - attack.t1055
 18logsource:
 19    product: windows
 20    category: create_remote_thread
 21detection:
 22    selection:
 23        SourceImage|endswith:
 24            - '\explorer.exe'
 25            - '\iexplore.exe'
 26            - '\msiexec.exe'
 27            - '\powerpnt.exe'
 28            - '\schtasks.exe'
 29            - '\winlogon.exe'
 30    filter_main_winlogon_1:
 31        SourceImage: 'C:\Windows\System32\winlogon.exe'
 32        TargetImage:
 33            - 'C:\Windows\System32\services.exe' # happens on Windows 7
 34            - 'C:\Windows\System32\wininit.exe' # happens on Windows 7
 35            - 'C:\Windows\System32\csrss.exe' # multiple OS
 36            - 'C:\Windows\System32\LogonUI.exe' # multiple OS
 37            - 'C:\Windows\System32\wlrmdr.exe'
 38            - 'C:\Windows\System32\AtBroker.exe'
 39            - 'C:\Windows\System32\dwm.exe'
 40            - 'C:\Windows\System32\fontdrvhost.exe'
 41            - 'C:\Windows\System32\userinit.exe'
 42    filter_main_winlogon_2:
 43        SourceImage: 'C:\Windows\System32\winlogon.exe'
 44        TargetParentProcessId: 4
 45    filter_main_schtasks_conhost:
 46        SourceImage:
 47            - 'C:\Windows\System32\schtasks.exe'
 48            - 'C:\Windows\SysWOW64\schtasks.exe'
 49        TargetImage: 'C:\Windows\System32\conhost.exe'
 50    filter_main_explorer:
 51        SourceImage: 'C:\Windows\explorer.exe'
 52        TargetImage|startswith:
 53            - 'C:\Program Files (x86)\'
 54            - 'C:\Program Files\'
 55            - 'C:\Windows\System32\'
 56            - 'C:\Windows\SysWOW64\'
 57    filter_main_system:
 58        TargetImage: 'System'
 59    filter_main_msiexec_1:
 60        # Note: MSI installers will trigger this
 61        SourceImage|endswith: '\msiexec.exe'
 62        TargetImage|contains:
 63            - '\AppData\Local\'
 64            - 'C:\Program Files (x86)\'
 65            - 'C:\Program Files\'
 66            - 'C:\Windows\Microsoft.NET\Framework64\' # C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
 67    filter_main_msiexec_2:
 68        SourceImage|endswith: '\msiexec.exe'
 69        TargetImage:
 70            - 'C:\Windows\System32\msiexec.exe'
 71            - 'C:\Windows\SysWOW64\msiexec.exe'
 72    filter_main_iexplore:
 73        SourceImage: 'C:\Program Files\Internet Explorer\iexplore.exe'
 74        TargetImage:
 75            - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
 76            - 'C:\Windows\System32\rundll32.exe'
 77    filter_main_powerpnt:
 78        SourceImage|endswith: '\POWERPNT.EXE'
 79        TargetImage|contains:
 80            - 'C:\Program Files\Microsoft Office\' # C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exe
 81            - 'C:\Program Files (x86)\Microsoft Office\'
 82    filter_optional_aurora_smartconsole1:
 83        SourceImage: 'C:\Program Files\internet explorer\iexplore.exe'
 84        SourceCommandLine|contains|all:
 85            - 'https://'
 86            - '.checkpoint.com/documents/'
 87            - 'SmartConsole_OLH/'
 88            - 'default.htm#cshid='
 89    filter_optional_aurora_smartconsole2:
 90        SourceImage: 'C:\Program Files\internet explorer\iexplore.exe'
 91        SourceParentImage|startswith:
 92            - 'C:\Program Files\'
 93            - 'C:\Program Files (x86)\'
 94        SourceParentImage|contains|all:
 95            - '\CheckPoint\SmartConsole\'
 96            - '\SmartConsole.exe'
 97    filter_optional_powerpnt:
 98        # Raised by the following issue: https://github.com/SigmaHQ/sigma/issues/2479
 99        SourceImage|contains: '\Microsoft Office\'
100        SourceImage|endswith: '\POWERPNT.EXE'
101        TargetImage: 'C:\Windows\System32\csrss.exe'
102    filter_main_null:
103        TargetImage: null
104    filter_main_empty:
105        TargetImage: ''
106    filter_optional_onedrive:
107        SourceImage: 'C:\Windows\explorer.exe'
108        TargetImage|endswith: '\AppData\Local\Microsoft\OneDrive\OneDrive.exe'
109    filter_optional_aurora:
110        SourceImage: 'C:\Windows\explorer.exe'
111        TargetImage|endswith: '\aurora-dashboard.exe'
112    filter_optional_officesetup:
113        SourceImage: 'C:\Windows\explorer.exe'
114        TargetImage|endswith: '\OfficeSetup.exe'
115    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
116falsepositives:
117    - This rule is best put in testing first in order to create a baseline that reflects the data in your environment.
118level: medium

References

Personal research, statistical analysis

Read More
LOLBAS

AddinUtil.exe Binaries AppInstaller.exe Binaries Aspnet_Compiler.exe Binaries At.exe Binaries Atbroker.exe Binaries Bash.exe Binaries Bitsadmin.exe Binaries CertOC.exe Binaries CertReq.exe Binaries...

Read More

Remote Thread Creation By Uncommon Source Image

Sigma rule (View on GitHub)

References

Personal research, statistical analysis

LOLBAS

Related rules