Detection rules › Splunk
Create Remote Thread In Shell Application
The following analytic detects suspicious process injection in command shell applications, specifically targeting cmd.exe and powershell.exe. It leverages Sysmon EventCode 8 to identify the creation of remote threads within these shell processes. This activity is significant because it is a common technique used by malware, such as IcedID, to inject malicious code and execute it within legitimate processes. If confirmed malicious, this behavior could allow an attacker to execute arbitrary code, escalate privileges, or maintain persistence within the environment, posing a severe threat to system security.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Privilege Escalation | T1055 Process Injection |
| Defense Evasion | T1055 Process Injection |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 8 | CreateRemoteThread |
Stages and Predicates
Stage 1: search
search EventCode=8 TargetImage IN ("*\\cmd.exe", "*\\powershell*", "*\\pwsh.exe")
Stage 2: stats
stats BY EventID, Guid, NewThreadId, ProcessID, SecurityID, SourceImage, SourceProcessGuid, SourceProcessId, StartAddress, StartFunction, StartModule, TargetImage, TargetProcessGuid, TargetProcessId, UserID, dest, parent_process_exec, parent_process_guid, parent_process_id, parent_process_name, parent_process_path, process_exec, process_guid, process_id, process_name, process_path, signature, signature_id, user_id, vendor_product
Stage 3: search
search
Stage 4: search
search
Stage 5: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
TargetImage | in |
|