detection.wiki

Detection rules › Sigma

Remote Thread Creation In Uncommon Target Image

Severity
medium
Author
Florian Roth (Nextron Systems)
Source
upstream

Detects uncommon target processes for remote thread creation

MITRE ATT&CK coverage

TacticTechniques
Privilege EscalationT1055.003 Process Injection: Thread Execution Hijacking
Defense EvasionT1055.003 Process Injection: Thread Execution Hijacking

Event coverage

ProviderEvent IDTitle
Sysmon8CreateRemoteThread

Stages and Predicates

Stage 1: selection

or:
TargetImage|endswith: '\calc.exe'
TargetImage|endswith: '\calculator.exe'
TargetImage|endswith: '\mspaint.exe'
TargetImage|endswith: '\notepad.exe'
TargetImage|endswith: '\ping.exe'
TargetImage|endswith: '\sethc.exe'
TargetImage|endswith: '\spoolsv.exe'
TargetImage|endswith: '\wordpad.exe'
TargetImage|endswith: '\write.exe'

Stage 2: not 1 of filter_main_*

or:
SourceImage: ['C:\Windows\System32\OpenWith.exe', 'C:\Windows\System32\explorer.exe']
TargetImage: 'C:\Windows\System32\notepad.exe'
SourceImage: 'C:\Windows\System32\AtBroker.exe'
TargetImage: 'C:\Windows\System32\Sethc.exe'
SourceImage: 'C:\Windows\System32\csrss.exe'

Stage 3: not 1 of filter_optional_*

or:
TargetImage: ['C:\Windows\System32\notepad.exe', 'C:\Windows\System32\spoolsv.exe']
SourceImage: 'C:\Program Files\VMware\VMware Tools\vmtoolsd.exe'
StartFunction: GetCommandLineW
SourceImage: 'C:\Program Files\Xerox\XeroxPrintExperience\CommonFiles\XeroxPrintJobEventManagerService.exe'
StartFunction: LoadLibraryW
TargetImage: 'C:\Windows\System32\spoolsv.exe'
SourceImage|contains: 'unknown process'
StartFunction: EtwpNotificationThread

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
SourceImageeq
  • C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
  • C:\Program Files\Xerox\XeroxPrintExperience\CommonFiles\XeroxPrintJobEventManagerService.exe
  • C:\Windows\System32\AtBroker.exe
  • C:\Windows\System32\OpenWith.exe corpus 2 (sigma 2)
  • C:\Windows\System32\csrss.exe
  • C:\Windows\System32\explorer.exe
SourceImagematch
  • unknown process
StartFunctioneq
  • EtwpNotificationThread
  • GetCommandLineW
  • LoadLibraryW
TargetImageends_with
  • \calc.exe corpus 2 (sigma 2)
  • \calculator.exe corpus 2 (sigma 2)
  • \mspaint.exe corpus 2 (sigma 2)
  • \notepad.exe corpus 2 (sigma 2)
  • \ping.exe corpus 2 (sigma 2)
  • \sethc.exe
  • \spoolsv.exe
  • \wordpad.exe corpus 2 (sigma 2)
  • \write.exe corpus 2 (sigma 2)
TargetImageeq
  • C:\Windows\System32\Sethc.exe
  • C:\Windows\System32\notepad.exe
  • C:\Windows\System32\spoolsv.exe