Remote Thread Creation In Mstsc.Exe From Suspicious Location

Severity: high
Author: Nasreddine Bencherchali (Nextron Systems)
Source: upstream

Detects remote thread creation in the "mstsc.exe" process by a process located in a potentially suspicious location. This technique is often used by attackers in order to hook some APIs used by DLLs loaded by "mstsc.exe" during RDP authentications in order to steal credentials.

Event coverage

Provider	Event ID	Title
Sysmon	8	CreateRemoteThread

Stages and Predicates

Stage 1: `selection`

or:
SourceImage|contains: ':\Temp\'
SourceImage|contains: ':\Users\Public\'
SourceImage|contains: ':\Windows\PerfLogs\'
SourceImage|contains: ':\Windows\Tasks\'
SourceImage|contains: ':\Windows\Temp\'
SourceImage|contains: '\AppData\Local\Temp\'
TargetImage|endswith: '\mstsc.exe'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`SourceImage`	match	`:\Temp\` corpus 12 (sigma 12) `:\Users\Public\` corpus 14 (sigma 14) `:\Windows\PerfLogs\` `:\Windows\Tasks\` corpus 5 (sigma 5) `:\Windows\Temp\` corpus 9 (sigma 9) `\AppData\Local\Temp\` corpus 9 (sigma 9)
`TargetImage`	ends_with	`\mstsc.exe`

Remote Thread Creation In Mstsc.Exe From Suspicious Location

Event coverage

Stages and Predicates

Stage 1: selection

Indicators

Stage 1: `selection`