detection.wiki

Detection rules › Sigma

Remote Thread Creation By Uncommon Source Image

Severity
medium
Author
Perez Diego (@darkquassar), oscd.community
Source
upstream

Detects uncommon processes creating remote threads.

MITRE ATT&CK coverage

TacticTechniques
Privilege EscalationT1055 Process Injection
Defense EvasionT1055 Process Injection

Event coverage

ProviderEvent IDTitle
Sysmon8CreateRemoteThread

Stages and Predicates

Stage 1: selection

or:
SourceImage|endswith: '\explorer.exe'
SourceImage|endswith: '\iexplore.exe'
SourceImage|endswith: '\msiexec.exe'
SourceImage|endswith: '\powerpnt.exe'
SourceImage|endswith: '\schtasks.exe'
SourceImage|endswith: '\winlogon.exe'

Stage 2: not 1 of filter_main_*

or:
SourceImage: ['C:\Windows\SysWOW64\schtasks.exe', 'C:\Windows\System32\schtasks.exe']
TargetImage: 'C:\Windows\System32\conhost.exe'
TargetImage: ['C:\Program Files (x86)\Internet Explorer\iexplore.exe', 'C:\Windows\System32\rundll32.exe']
SourceImage: 'C:\Program Files\Internet Explorer\iexplore.exe'
TargetImage: ['C:\Windows\SysWOW64\msiexec.exe', 'C:\Windows\System32\msiexec.exe']
SourceImage|endswith: '\msiexec.exe'
TargetImage: ['C:\Windows\System32\AtBroker.exe', 'C:\Windows\System32\LogonUI.exe', 'C:\Windows\System32\csrss.exe', 'C:\Windows\System32\dwm.exe', 'C:\Windows\System32\fontdrvhost.exe', 'C:\Windows\System32\services.exe', 'C:\Windows\System32\userinit.exe', 'C:\Windows\System32\wininit.exe', 'C:\Windows\System32\wlrmdr.exe']
SourceImage: 'C:\Windows\System32\winlogon.exe'
or:
TargetImage|contains: 'C:\Program Files (x86)\'
TargetImage|contains: 'C:\Program Files\'
TargetImage|contains: 'C:\Windows\Microsoft.NET\Framework64\'
TargetImage|contains: '\AppData\Local\'
SourceImage|endswith: '\msiexec.exe'
or:
TargetImage|contains: 'C:\Program Files (x86)\Microsoft Office\'
TargetImage|contains: 'C:\Program Files\Microsoft Office\'
SourceImage|endswith: '\POWERPNT.EXE'
or:
TargetImage|startswith: 'C:\Program Files (x86)\'
TargetImage|startswith: 'C:\Program Files\'
TargetImage|startswith: 'C:\Windows\SysWOW64\'
TargetImage|startswith: 'C:\Windows\System32\'
SourceImage: 'C:\Windows\explorer.exe'
SourceImage: 'C:\Windows\System32\winlogon.exe'
TargetParentProcessId: 4
TargetImage: ''
TargetImage: System
TargetImage: null

Stage 3: not 1 of filter_optional_*

or:
or:
SourceParentImage|startswith: 'C:\Program Files (x86)\'
SourceParentImage|startswith: 'C:\Program Files\'
SourceImage: 'C:\Program Files\internet explorer\iexplore.exe'
SourceParentImage|contains: '\CheckPoint\SmartConsole\'
SourceParentImage|contains: '\SmartConsole.exe'
SourceCommandLine|contains: '.checkpoint.com/documents/'
SourceCommandLine|contains: 'SmartConsole_OLH/'
SourceCommandLine|contains: 'default.htm#cshid='
SourceCommandLine|contains: 'https://'
SourceImage: 'C:\Program Files\internet explorer\iexplore.exe'
SourceImage|endswith: '\POWERPNT.EXE'
SourceImage|contains: '\Microsoft Office\'
TargetImage: 'C:\Windows\System32\csrss.exe'
SourceImage: 'C:\Windows\explorer.exe'
TargetImage|endswith: '\AppData\Local\Microsoft\OneDrive\OneDrive.exe'
SourceImage: 'C:\Windows\explorer.exe'
TargetImage|endswith: '\OfficeSetup.exe'
SourceImage: 'C:\Windows\explorer.exe'
TargetImage|endswith: '\aurora-dashboard.exe'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
SourceCommandLinematch
  • .checkpoint.com/documents/
  • SmartConsole_OLH/
  • default.htm#cshid=
  • https://
SourceImageends_with
  • \POWERPNT.EXE corpus 4 (sigma 4)
  • \explorer.exe corpus 12 (sigma 12)
  • \iexplore.exe corpus 4 (sigma 4)
  • \msiexec.exe corpus 21 (sigma 21)
  • \powerpnt.exe corpus 13 (sigma 13)
  • \schtasks.exe corpus 45 (sigma 45)
  • \winlogon.exe corpus 5 (sigma 5)
SourceImageeq
  • C:\Program Files\Internet Explorer\iexplore.exe corpus 11 (sigma 11)
  • C:\Program Files\internet explorer\iexplore.exe
  • C:\Windows\SysWOW64\schtasks.exe corpus 2 (sigma 2)
  • C:\Windows\System32\schtasks.exe corpus 2 (sigma 2)
  • C:\Windows\System32\winlogon.exe
  • C:\Windows\explorer.exe corpus 9 (sigma 9)
SourceImagematch
  • \Microsoft Office\
SourceParentImagematch
  • \CheckPoint\SmartConsole\
  • \SmartConsole.exe
SourceParentImagestarts_with
  • C:\Program Files (x86)\
  • C:\Program Files\
TargetImageends_with
  • \AppData\Local\Microsoft\OneDrive\OneDrive.exe
  • \OfficeSetup.exe
  • \aurora-dashboard.exe
TargetImageeq
  • C:\Program Files (x86)\Internet Explorer\iexplore.exe
  • C:\Windows\SysWOW64\msiexec.exe
  • C:\Windows\System32\AtBroker.exe
  • C:\Windows\System32\LogonUI.exe
  • C:\Windows\System32\conhost.exe corpus 2 (sigma 2)
  • C:\Windows\System32\csrss.exe
  • C:\Windows\System32\dwm.exe
  • C:\Windows\System32\fontdrvhost.exe
  • C:\Windows\System32\msiexec.exe
  • C:\Windows\System32\rundll32.exe
  • C:\Windows\System32\services.exe
  • C:\Windows\System32\userinit.exe
  • C:\Windows\System32\wininit.exe
  • C:\Windows\System32\wlrmdr.exe
  • System corpus 2 (sigma 2)
TargetImagematch
  • C:\Program Files (x86)\
  • C:\Program Files (x86)\Microsoft Office\
  • C:\Program Files\
  • C:\Program Files\Microsoft Office\
  • C:\Windows\Microsoft.NET\Framework64\
  • \AppData\Local\
TargetImagestarts_with
  • C:\Program Files (x86)\ corpus 2 (sigma 2)
  • C:\Program Files\ corpus 2 (sigma 2)
  • C:\Windows\SysWOW64\
  • C:\Windows\System32\
TargetParentProcessIdeq
  • 4