Remote Thread Creation By Uncommon Source Image

calendar Jan 23, 2024 · attack.privilege_escalation attack.defense_evasion attack.t1055  ·
Share on: linkedin copy

Detects uncommon processes creating remote threads.

Sigma rule (View on GitHub)

 1title: Remote Thread Creation By Uncommon Source Image
 2id: 66d31e5f-52d6-40a4-9615-002d3789a119
 3related:
 4    - id: 02d1d718-dd13-41af-989d-ea85c7fab93f
 5      type: derived
 6status: experimental
 7description: Detects uncommon processes creating remote threads.
 8references:
 9    - Personal research, statistical analysis
10    - https://lolbas-project.github.io
11author: Perez Diego (@darkquassar), oscd.community
12date: 2019/10/27
13modified: 2024/01/17
14tags:
15    - attack.privilege_escalation
16    - attack.defense_evasion
17    - attack.t1055
18logsource:
19    product: windows
20    category: create_remote_thread
21detection:
22    selection:
23        SourceImage|endswith:
24            - '\explorer.exe'
25            - '\iexplore.exe'
26            - '\msiexec.exe'
27            - '\powerpnt.exe'
28            - '\schtasks.exe'
29            - '\winlogon.exe'
30    filter_main_winlogon_1:
31        SourceImage|endswith: ':\Windows\System32\winlogon.exe'
32        TargetImage|endswith:
33            - ':\Windows\System32\services.exe' # happens on Windows 7
34            - ':\Windows\System32\wininit.exe' # happens on Windows 7
35            - ':\Windows\System32\csrss.exe' # multiple OS
36            - ':\Windows\System32\LogonUI.exe' # multiple OS
37    filter_main_winlogon_2:
38        SourceImage|contains: ':\Windows\System32\winlogon.exe'
39        TargetParentProcessId: 4
40    filter_main_schtasks_conhost:
41        SourceImage|endswith:
42            - ':\Windows\System32\schtasks.exe'
43            - ':\Windows\SysWOW64\schtasks.exe'
44        TargetImage|endswith: ':\Windows\System32\conhost.exe'
45    filter_main_explorer:
46        SourceImage|endswith: ':\Windows\explorer.exe'
47        TargetImage|endswith:
48            - ':\Program Files (x86)\'
49            - ':\Program Files\'
50            - ':\Windows\System32\'
51            - ':\Windows\SysWOW64\'
52    filter_main_system:
53        TargetImage: 'System'
54    filter_main_msiexec:
55        # Note: MSI installers will trigger this
56        SourceImage|endswith: '\msiexec.exe'
57        TargetImage|contains:
58            - '\AppData\Local\'
59            - ':\Program Files (x86)\'
60            - ':\Program Files\'
61    filter_optional_aurora_smartconsole1:
62        SourceImage|contains: ':\Program Files\internet explorer\iexplore.exe'
63        SourceCommandLine|contains|all:
64            - 'https://'
65            - '.checkpoint.com/documents/'
66            - 'SmartConsole_OLH/'
67            - 'default.htm#cshid='
68    filter_optional_aurora_smartconsole2:
69        SourceImage|contains: ':\Program Files\internet explorer\iexplore.exe'
70        SourceParentImage|contains|all:
71            - ':\Program Files'  # x86 and not
72            - '\CheckPoint\SmartConsole\'
73            - '\SmartConsole.exe'
74    filter_optional_powerpnt:
75        # Raised by the following issue: https://github.com/SigmaHQ/sigma/issues/2479
76        SourceImage|contains: '\Microsoft Office\'
77        SourceImage|endswith: '\POWERPNT.EXE'
78        TargetImage|endswith: ':\Windows\System32\csrss.exe'
79    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
80falsepositives:
81    - This rule is best put in testing first in order to create a baseline that reflects the data in your environment.
82level: medium

References

Related rules

to-top