Remote Thread Creation In Uncommon Target Image

 1title: Remote Thread Creation In Uncommon Target Image
 2id: a1a144b7-5c9b-4853-a559-2172be8d4a03
 3related:
 4    - id: f016c716-754a-467f-a39e-63c06f773987
 5      type: obsolete
 6status: experimental
 7description: Detects uncommon target processes for remote thread creation
 8references:
 9    - https://web.archive.org/web/20220319032520/https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection
10author: Florian Roth (Nextron Systems)
11date: 2022-03-16
12modified: 2024-07-15
13tags:
14    - attack.defense-evasion
15    - attack.privilege-escalation
16    - attack.t1055.003
17logsource:
18    product: windows
19    category: create_remote_thread
20detection:
21    selection:
22        TargetImage|endswith:
23            - '\calc.exe'
24            - '\calculator.exe'
25            - '\mspaint.exe'
26            - '\notepad.exe'
27            - '\ping.exe'
28            - '\sethc.exe'
29            - '\spoolsv.exe'
30            - '\wordpad.exe'
31            - '\write.exe'
32    filter_main_csrss:
33        SourceImage: 'C:\Windows\System32\csrss.exe'
34    filter_optional_aurora_1:
35        StartFunction: 'EtwpNotificationThread'
36    filter_optional_aurora_2:
37        SourceImage|contains: 'unknown process'
38    filter_optional_vmtoolsd:
39        SourceImage: 'C:\Program Files\VMware\VMware Tools\vmtoolsd.exe'
40        StartFunction: 'GetCommandLineW'
41        TargetImage:
42            - 'C:\Windows\System32\notepad.exe'
43            - 'C:\Windows\System32\spoolsv.exe'
44    filter_optional_xerox_pjems:
45        SourceImage: 'C:\Program Files\Xerox\XeroxPrintExperience\CommonFiles\XeroxPrintJobEventManagerService.exe'
46        StartFunction: 'LoadLibraryW'
47        TargetImage: 'C:\Windows\System32\spoolsv.exe'
48    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
49falsepositives:
50    - Unknown
51level: medium