Remote Thread Creation In Uncommon Target Image
Detects uncommon target processes for remote thread creation
Sigma rule (View on GitHub)
1title: Remote Thread Creation In Uncommon Target Image
2id: a1a144b7-5c9b-4853-a559-2172be8d4a03
3related:
4 - id: f016c716-754a-467f-a39e-63c06f773987
5 type: obsoletes
6status: experimental
7description: Detects uncommon target processes for remote thread creation
8references:
9 - https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection
10author: Florian Roth (Nextron Systems)
11date: 2022/03/16
12modified: 2023/10/19
13tags:
14 - attack.defense_evasion
15 - attack.privilege_escalation
16 - attack.t1055.003
17logsource:
18 product: windows
19 category: create_remote_thread
20detection:
21 selection:
22 TargetImage|endswith:
23 - '\calc.exe'
24 - '\calculator.exe'
25 - '\explorer.exe'
26 - '\mspaint.exe'
27 - '\notepad.exe'
28 - '\ping.exe'
29 - '\sethc.exe'
30 - '\spoolsv.exe'
31 - '\wordpad.exe'
32 - '\write.exe'
33 filter_main_csrss:
34 SourceImage|endswith: ':\Windows\System32\csrss.exe'
35 filter_optional_aurora_1:
36 StartFunction: 'EtwpNotificationThread'
37 filter_optional_aurora_2:
38 SourceImage|contains: 'unknown process'
39 filter_optional_vmtoolsd:
40 SourceImage|endswith: ':\Program Files\VMware\VMware Tools\vmtoolsd.exe'
41 StartFunction: 'GetCommandLineW'
42 TargetImage|endswith:
43 - ':\Windows\explorer.exe'
44 - ':\Windows\System32\notepad.exe'
45 - ':\Windows\System32\spoolsv.exe'
46 filter_main_rundll32:
47 SourceImage|endswith: ':\Windows\System32\rundll32.exe'
48 TargetImage|endswith: ':\Windows\explorer.exe'
49 StartFunction:
50 - 'LoadLibraryW'
51 - 'FreeLibrary'
52 filter_optional_winzip:
53 SourceImage|endswith: ':\Program Files\WinZip\FAHWindow64.exe'
54 TargetImage|endswith: ':\Windows\explorer.exe'
55 condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
56falsepositives:
57 - Unknown
58level: high
References
-
This website is for sale! redbluepurple.io is your first and best source for all of the information you’re looking for. From general topics to more of what you would expect to find here, redbluepurple.io has it all. We hope you find what you are searching for!
Read More
Related rules
- Creation Of Non-Existent System DLL
- Elevated System Shell Spawned
- HackTool - CoercedPotato Execution
- HackTool - SharpImpersonation Execution
- HackTool - UACMe Akagi Execution