Remote Thread Creation By Uncommon Source Image
Detects uncommon processes creating remote threads.
Sigma rule (View on GitHub)
1title: Remote Thread Creation By Uncommon Source Image
2id: 66d31e5f-52d6-40a4-9615-002d3789a119
3related:
4 - id: 02d1d718-dd13-41af-989d-ea85c7fab93f
5 type: derived
6status: test
7description: Detects uncommon processes creating remote threads.
8references:
9 - Personal research, statistical analysis
10 - https://lolbas-project.github.io
11author: Perez Diego (@darkquassar), oscd.community
12date: 2019-10-27
13modified: 2025-07-08
14tags:
15 - attack.privilege-escalation
16 - attack.defense-evasion
17 - attack.t1055
18logsource:
19 product: windows
20 category: create_remote_thread
21detection:
22 selection:
23 SourceImage|endswith:
24 - '\explorer.exe'
25 - '\iexplore.exe'
26 - '\msiexec.exe'
27 - '\powerpnt.exe'
28 - '\schtasks.exe'
29 - '\winlogon.exe'
30 filter_main_winlogon_1:
31 SourceImage: 'C:\Windows\System32\winlogon.exe'
32 TargetImage:
33 - 'C:\Windows\System32\services.exe' # happens on Windows 7
34 - 'C:\Windows\System32\wininit.exe' # happens on Windows 7
35 - 'C:\Windows\System32\csrss.exe' # multiple OS
36 - 'C:\Windows\System32\LogonUI.exe' # multiple OS
37 - 'C:\Windows\System32\wlrmdr.exe'
38 - 'C:\Windows\System32\AtBroker.exe'
39 - 'C:\Windows\System32\dwm.exe'
40 - 'C:\Windows\System32\fontdrvhost.exe'
41 - 'C:\Windows\System32\userinit.exe'
42 filter_main_winlogon_2:
43 SourceImage: 'C:\Windows\System32\winlogon.exe'
44 TargetParentProcessId: 4
45 filter_main_schtasks_conhost:
46 SourceImage:
47 - 'C:\Windows\System32\schtasks.exe'
48 - 'C:\Windows\SysWOW64\schtasks.exe'
49 TargetImage: 'C:\Windows\System32\conhost.exe'
50 filter_main_explorer:
51 SourceImage: 'C:\Windows\explorer.exe'
52 TargetImage|startswith:
53 - 'C:\Program Files (x86)\'
54 - 'C:\Program Files\'
55 - 'C:\Windows\System32\'
56 - 'C:\Windows\SysWOW64\'
57 filter_main_system:
58 TargetImage: 'System'
59 filter_main_msiexec_1:
60 # Note: MSI installers will trigger this
61 SourceImage|endswith: '\msiexec.exe'
62 TargetImage|contains:
63 - '\AppData\Local\'
64 - 'C:\Program Files (x86)\'
65 - 'C:\Program Files\'
66 - 'C:\Windows\Microsoft.NET\Framework64\' # C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
67 filter_main_msiexec_2:
68 SourceImage|endswith: '\msiexec.exe'
69 TargetImage:
70 - 'C:\Windows\System32\msiexec.exe'
71 - 'C:\Windows\SysWOW64\msiexec.exe'
72 filter_main_iexplore:
73 SourceImage: 'C:\Program Files\Internet Explorer\iexplore.exe'
74 TargetImage:
75 - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
76 - 'C:\Windows\System32\rundll32.exe'
77 filter_main_powerpnt:
78 SourceImage|endswith: '\POWERPNT.EXE'
79 TargetImage|contains:
80 - 'C:\Program Files\Microsoft Office\' # C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exe
81 - 'C:\Program Files (x86)\Microsoft Office\'
82 filter_optional_aurora_smartconsole1:
83 SourceImage: 'C:\Program Files\internet explorer\iexplore.exe'
84 SourceCommandLine|contains|all:
85 - 'https://'
86 - '.checkpoint.com/documents/'
87 - 'SmartConsole_OLH/'
88 - 'default.htm#cshid='
89 filter_optional_aurora_smartconsole2:
90 SourceImage: 'C:\Program Files\internet explorer\iexplore.exe'
91 SourceParentImage|startswith:
92 - 'C:\Program Files\'
93 - 'C:\Program Files (x86)\'
94 SourceParentImage|contains|all:
95 - '\CheckPoint\SmartConsole\'
96 - '\SmartConsole.exe'
97 filter_optional_powerpnt:
98 # Raised by the following issue: https://github.com/SigmaHQ/sigma/issues/2479
99 SourceImage|contains: '\Microsoft Office\'
100 SourceImage|endswith: '\POWERPNT.EXE'
101 TargetImage: 'C:\Windows\System32\csrss.exe'
102 filter_main_null:
103 TargetImage: null
104 filter_main_empty:
105 TargetImage: ''
106 filter_optional_onedrive:
107 SourceImage: 'C:\Windows\explorer.exe'
108 TargetImage|endswith: '\AppData\Local\Microsoft\OneDrive\OneDrive.exe'
109 filter_optional_aurora:
110 SourceImage: 'C:\Windows\explorer.exe'
111 TargetImage|endswith: '\aurora-dashboard.exe'
112 filter_optional_officesetup:
113 SourceImage: 'C:\Windows\explorer.exe'
114 TargetImage|endswith: '\OfficeSetup.exe'
115 condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
116falsepositives:
117 - This rule is best put in testing first in order to create a baseline that reflects the data in your environment.
118level: medium
References
Related rules
- Rare Remote Thread Creation By Uncommon Source Image
- Suspicious Child Process Of Wermgr.EXE
- HackTool - CoercedPotato Execution
- HackTool - EfsPotato Named Pipe Creation
- HackTool - CoercedPotato Named Pipe Creation