Remote Thread Creation In Uncommon Target Image

calendar Jul 8, 2025 · attack.defense-evasion attack.privilege-escalation attack.t1055.003  ·
Share on: linkedin copy

Detects uncommon target processes for remote thread creation

Sigma rule (View on GitHub)

 1title: Remote Thread Creation In Uncommon Target Image
 2id: a1a144b7-5c9b-4853-a559-2172be8d4a03
 3related:
 4    - id: f016c716-754a-467f-a39e-63c06f773987
 5      type: obsolete
 6status: test
 7description: Detects uncommon target processes for remote thread creation
 8references:
 9    - https://web.archive.org/web/20220319032520/https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection
10author: Florian Roth (Nextron Systems)
11date: 2022-03-16
12modified: 2025-07-04
13tags:
14    - attack.defense-evasion
15    - attack.privilege-escalation
16    - attack.t1055.003
17logsource:
18    product: windows
19    category: create_remote_thread
20detection:
21    selection:
22        TargetImage|endswith:
23            - '\calc.exe'
24            - '\calculator.exe'
25            - '\mspaint.exe'
26            - '\notepad.exe'
27            - '\ping.exe'
28            - '\sethc.exe'
29            - '\spoolsv.exe'
30            - '\wordpad.exe'
31            - '\write.exe'
32    filter_main_csrss:
33        SourceImage: 'C:\Windows\System32\csrss.exe'
34    filter_main_notepad:
35        SourceImage:
36            - 'C:\Windows\System32\explorer.exe'
37            - 'C:\Windows\System32\OpenWith.exe'
38        TargetImage: 'C:\Windows\System32\notepad.exe'
39    filter_main_sethc:
40        SourceImage: 'C:\Windows\System32\AtBroker.exe'
41        TargetImage: 'C:\Windows\System32\Sethc.exe'
42    filter_optional_aurora_1:
43        StartFunction: 'EtwpNotificationThread'
44    filter_optional_aurora_2:
45        SourceImage|contains: 'unknown process'
46    filter_optional_vmtoolsd:
47        SourceImage: 'C:\Program Files\VMware\VMware Tools\vmtoolsd.exe'
48        StartFunction: 'GetCommandLineW'
49        TargetImage:
50            - 'C:\Windows\System32\notepad.exe'
51            - 'C:\Windows\System32\spoolsv.exe'
52    filter_optional_xerox_pjems:
53        SourceImage: 'C:\Program Files\Xerox\XeroxPrintExperience\CommonFiles\XeroxPrintJobEventManagerService.exe'
54        StartFunction: 'LoadLibraryW'
55        TargetImage: 'C:\Windows\System32\spoolsv.exe'
56    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
57falsepositives:
58    - Unknown
59level: medium

References

Related rules

to-top