Remote Thread Creation By Uncommon Source Image
Detects uncommon processes creating remote threads
Sigma rule (View on GitHub)
1title: Remote Thread Creation By Uncommon Source Image
2id: 66d31e5f-52d6-40a4-9615-002d3789a119
3status: experimental
4description: Detects uncommon processes creating remote threads
5references:
6 - Personal research, statistical analysis
7 - https://lolbas-project.github.io
8author: Perez Diego (@darkquassar), oscd.community
9date: 2019/10/27
10modified: 2023/11/11
11tags:
12 - attack.privilege_escalation
13 - attack.defense_evasion
14 - attack.t1055
15logsource:
16 product: windows
17 category: create_remote_thread
18detection:
19 selection:
20 SourceImage|endswith:
21 - '\bash.exe'
22 - '\cscript.exe'
23 - '\cvtres.exe'
24 - '\defrag.exe'
25 - '\dnx.exe'
26 - '\esentutl.exe'
27 - '\excel.exe'
28 - '\expand.exe'
29 - '\explorer.exe'
30 - '\find.exe'
31 - '\findstr.exe'
32 - '\forfiles.exe'
33 # - '\git.exe'
34 - '\gpupdate.exe'
35 - '\hh.exe'
36 - '\iexplore.exe'
37 - '\installutil.exe'
38 - '\lync.exe'
39 - '\makecab.exe'
40 - '\mDNSResponder.exe'
41 - '\monitoringhost.exe' # Loads .NET CLR by default and thus a favorite for process injection for .NET in-memory offensive tools.
42 - '\msbuild.exe'
43 - '\mshta.exe'
44 - '\msiexec.exe'
45 - '\mspaint.exe'
46 - '\outlook.exe'
47 - '\ping.exe'
48 - '\powerpnt.exe'
49 - '\provtool.exe'
50 - '\python.exe'
51 - '\regsvr32.exe'
52 - '\robocopy.exe'
53 - '\runonce.exe'
54 - '\sapcimc.exe'
55 - '\schtasks.exe'
56 - '\smartscreen.exe'
57 - '\spoolsv.exe'
58 # - '\taskhost.exe' # disabled due to false positives
59 - '\tstheme.exe'
60 - '\userinit.exe'
61 - '\vssadmin.exe'
62 - '\vssvc.exe'
63 - '\w3wp.exe'
64 - '\winlogon.exe'
65 - '\winscp.exe'
66 - '\winword.exe'
67 - '\wmic.exe'
68 - '\wscript.exe'
69 filter_main_winlogon_1:
70 SourceImage|endswith: ':\Windows\System32\winlogon.exe'
71 TargetImage|endswith:
72 - ':\Windows\System32\services.exe' # happens on Windows 7
73 - ':\Windows\System32\wininit.exe' # happens on Windows 7
74 - ':\Windows\System32\csrss.exe' # multiple OS
75 - ':\Windows\System32\LogonUI.exe' # multiple OS
76 filter_main_winlogon_2:
77 SourceImage: 'C:\Windows\System32\winlogon.exe'
78 TargetParentProcessId: 4
79 filter_main_schtasks_conhost:
80 SourceImage|endswith:
81 - ':\Windows\System32\schtasks.exe'
82 - ':\Windows\SysWOW64\schtasks.exe'
83 TargetImage|endswith: ':\Windows\System32\conhost.exe'
84 filter_main_explorer:
85 SourceImage|endswith: ':\Windows\explorer.exe'
86 TargetImage|endswith:
87 - ':\Program Files (x86)\'
88 - ':\Program Files\'
89 - ':\Windows\System32\'
90 - ':\Windows\SysWOW64\'
91 filter_main_system:
92 TargetImage: 'System'
93 filter_main_msiexec:
94 # Note: MSI installers will trigger this
95 SourceImage|endswith: '\msiexec.exe'
96 TargetImage|contains:
97 - '\AppData\Local\'
98 - ':\Program Files (x86)\'
99 - ':\Program Files\'
100 filter_optional_powerpnt:
101 # Raised by the following issue: https://github.com/SigmaHQ/sigma/issues/2479
102 SourceImage|contains: '\Microsoft Office\'
103 SourceImage|endswith: '\POWERPNT.EXE'
104 TargetImage|endswith: ':\Windows\System32\csrss.exe'
105 condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
106falsepositives:
107 - Unknown
108level: high
References
Related rules
- HackTool - CoercedPotato Execution
- Malicious Named Pipe Created
- Suspect Svchost Activity
- HackTool - CoercedPotato Named Pipe Creation
- HackTool - EfsPotato Named Pipe Creation