Remote Thread Creation In Uncommon Target Image
Detects uncommon target processes for remote thread creation
Sigma rule (View on GitHub)
1title: Remote Thread Creation In Uncommon Target Image
2id: a1a144b7-5c9b-4853-a559-2172be8d4a03
3related:
4 - id: f016c716-754a-467f-a39e-63c06f773987
5 type: obsolete
6status: test
7description: Detects uncommon target processes for remote thread creation
8references:
9 - https://web.archive.org/web/20220319032520/https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection
10author: Florian Roth (Nextron Systems)
11date: 2022-03-16
12modified: 2025-07-04
13tags:
14 - attack.defense-evasion
15 - attack.privilege-escalation
16 - attack.t1055.003
17logsource:
18 product: windows
19 category: create_remote_thread
20detection:
21 selection:
22 TargetImage|endswith:
23 - '\calc.exe'
24 - '\calculator.exe'
25 - '\mspaint.exe'
26 - '\notepad.exe'
27 - '\ping.exe'
28 - '\sethc.exe'
29 - '\spoolsv.exe'
30 - '\wordpad.exe'
31 - '\write.exe'
32 filter_main_csrss:
33 SourceImage: 'C:\Windows\System32\csrss.exe'
34 filter_main_notepad:
35 SourceImage:
36 - 'C:\Windows\System32\explorer.exe'
37 - 'C:\Windows\System32\OpenWith.exe'
38 TargetImage: 'C:\Windows\System32\notepad.exe'
39 filter_main_sethc:
40 SourceImage: 'C:\Windows\System32\AtBroker.exe'
41 TargetImage: 'C:\Windows\System32\Sethc.exe'
42 filter_optional_aurora_1:
43 StartFunction: 'EtwpNotificationThread'
44 filter_optional_aurora_2:
45 SourceImage|contains: 'unknown process'
46 filter_optional_vmtoolsd:
47 SourceImage: 'C:\Program Files\VMware\VMware Tools\vmtoolsd.exe'
48 StartFunction: 'GetCommandLineW'
49 TargetImage:
50 - 'C:\Windows\System32\notepad.exe'
51 - 'C:\Windows\System32\spoolsv.exe'
52 filter_optional_xerox_pjems:
53 SourceImage: 'C:\Program Files\Xerox\XeroxPrintExperience\CommonFiles\XeroxPrintJobEventManagerService.exe'
54 StartFunction: 'LoadLibraryW'
55 TargetImage: 'C:\Windows\System32\spoolsv.exe'
56 condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
57falsepositives:
58 - Unknown
59level: medium
References
Related rules
- Rare Remote Thread Creation By Uncommon Source Image
- Remote Thread Creation By Uncommon Source Image
- Suspicious Child Process Of Wermgr.EXE
- Potential Notepad++ CVE-2025-49144 Exploitation
- Trusted Path Bypass via Windows Directory Spoofing