Rare Remote Thread Creation By Uncommon Source Image

Severity: high
Author: Perez Diego (@darkquassar), oscd.community
Source: upstream

Detects uncommon processes creating remote threads.

MITRE ATT&CK coverage

Tactic	Techniques
Privilege Escalation	`T1055` Process Injection
Defense Evasion	`T1055` Process Injection

Event coverage

Provider	Event ID	Title
Sysmon	8	CreateRemoteThread

Stages and Predicates

Stage 1: `selection`

or:
SourceImage|endswith: '\bash.exe'
SourceImage|endswith: '\cscript.exe'
SourceImage|endswith: '\cvtres.exe'
SourceImage|endswith: '\defrag.exe'
SourceImage|endswith: '\dialer.exe'
SourceImage|endswith: '\dnx.exe'
SourceImage|endswith: '\esentutl.exe'
SourceImage|endswith: '\excel.exe'
SourceImage|endswith: '\expand.exe'
SourceImage|endswith: '\find.exe'
SourceImage|endswith: '\findstr.exe'
SourceImage|endswith: '\forfiles.exe'
SourceImage|endswith: '\gpupdate.exe'
SourceImage|endswith: '\hh.exe'
SourceImage|endswith: '\installutil.exe'
SourceImage|endswith: '\lync.exe'
SourceImage|endswith: '\mDNSResponder.exe'
SourceImage|endswith: '\makecab.exe'
SourceImage|endswith: '\monitoringhost.exe'
SourceImage|endswith: '\msbuild.exe'
SourceImage|endswith: '\mshta.exe'
SourceImage|endswith: '\mspaint.exe'
SourceImage|endswith: '\outlook.exe'
SourceImage|endswith: '\ping.exe'
SourceImage|endswith: '\provtool.exe'
SourceImage|endswith: '\python.exe'
SourceImage|endswith: '\regsvr32.exe'
SourceImage|endswith: '\robocopy.exe'
SourceImage|endswith: '\runonce.exe'
SourceImage|endswith: '\sapcimc.exe'
SourceImage|endswith: '\smartscreen.exe'
SourceImage|endswith: '\spoolsv.exe'
SourceImage|endswith: '\tstheme.exe'
SourceImage|endswith: '\userinit.exe'
SourceImage|endswith: '\vssadmin.exe'
SourceImage|endswith: '\vssvc.exe'
SourceImage|endswith: '\w3wp.exe'
SourceImage|endswith: '\winscp.exe'
SourceImage|endswith: '\winword.exe'
SourceImage|endswith: '\wmic.exe'
SourceImage|endswith: '\wscript.exe'

Stage 2: `not 1 of filter_main_*`

or:
SourceImage: ['C:\Windows\System32\Defrag.exe', 'C:\Windows\System32\makecab.exe']
TargetImage: 'C:\Windows\System32\conhost.exe'
or:
SourceImage|startswith: 'C:\Program Files (x86)\Microsoft Office\'
SourceImage|startswith: 'C:\Program Files\Microsoft Office\'
TargetImage: System
or:
TargetImage|startswith: 'C:\Program Files (x86)\'
TargetImage|startswith: 'C:\Program Files\'
SourceImage|endswith: '\WINWORD.EXE'
SourceImage: 'C:\Windows\System32\provtool.exe'
TargetImage: 'C:\Windows\System32\svchost.exe'
SourceImage: 'C:\Windows\System32\provtool.exe'
TargetImage: System
SourceImage: 'C:\Windows\System32\userinit.exe'
TargetImage: 'C:\Windows\explorer.exe'

Stage 3: `not 1 of filter_optional_explorer_vmtools`

TargetImage: ['C:\Program Files (x86)\VMware\VMware Tools\vmtoolsd.exe', 'C:\Program Files\VMware\VMware Tools\vmtoolsd.exe']
SourceImage|endswith: '\SysWOW64\explorer.exe'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`SourceImage`	ends_with	`\SysWOW64\explorer.exe` `\WINWORD.EXE` `\bash.exe` corpus 17 (sigma 17) `\cscript.exe` corpus 64 (sigma 64) `\cvtres.exe` corpus 2 (sigma 2) `\defrag.exe` corpus 2 (sigma 2) `\dialer.exe` `\dnx.exe` corpus 2 (sigma 2) `\esentutl.exe` corpus 8 (sigma 8) `\excel.exe` corpus 16 (sigma 16) `\expand.exe` corpus 3 (sigma 3) `\find.exe` corpus 8 (sigma 8) `\findstr.exe` corpus 11 (sigma 11) `\forfiles.exe` corpus 11 (sigma 11) `\gpupdate.exe` corpus 2 (sigma 2) `\hh.exe` corpus 14 (sigma 14) `\installutil.exe` corpus 5 (sigma 5) `\lync.exe` `\mDNSResponder.exe` `\makecab.exe` `\monitoringhost.exe` `\msbuild.exe` corpus 7 (sigma 7) `\mshta.exe` corpus 57 (sigma 57) `\mspaint.exe` `\outlook.exe` corpus 16 (sigma 16) `\ping.exe` corpus 6 (sigma 6) `\provtool.exe` `\python.exe` corpus 3 (sigma 3) `\regsvr32.exe` corpus 57 (sigma 57) `\robocopy.exe` corpus 5 (sigma 5) `\runonce.exe` corpus 4 (sigma 4) `\sapcimc.exe` `\smartscreen.exe` corpus 2 (sigma 2) `\spoolsv.exe` corpus 2 (sigma 2) `\tstheme.exe` `\userinit.exe` corpus 2 (sigma 2) `\vssadmin.exe` corpus 5 (sigma 5) `\vssvc.exe` corpus 2 (sigma 2) `\w3wp.exe` corpus 6 (sigma 6) `\winscp.exe` `\winword.exe` corpus 17 (sigma 17) `\wmic.exe` corpus 37 (sigma 37) `\wscript.exe` corpus 64 (sigma 64)
`SourceImage`	eq	`C:\Windows\System32\Defrag.exe` `C:\Windows\System32\makecab.exe` `C:\Windows\System32\provtool.exe` `C:\Windows\System32\userinit.exe`
`SourceImage`	starts_with	`C:\Program Files (x86)\Microsoft Office\` corpus 3 (sigma 3) `C:\Program Files\Microsoft Office\` corpus 3 (sigma 3)
`TargetImage`	eq	`C:\Program Files (x86)\VMware\VMware Tools\vmtoolsd.exe` `C:\Program Files\VMware\VMware Tools\vmtoolsd.exe` `C:\Windows\System32\conhost.exe` corpus 2 (sigma 2) `C:\Windows\System32\svchost.exe` `C:\Windows\explorer.exe` `System` corpus 2 (sigma 2)
`TargetImage`	starts_with	`C:\Program Files (x86)\` corpus 2 (sigma 2) `C:\Program Files\` corpus 2 (sigma 2)