Powershell Remote Thread To Known Windows Process

Author: Teoderick Contreras, Splunk
Source: upstream

The following analytic detects suspicious PowerShell processes attempting to inject code into critical Windows processes using CreateRemoteThread. It leverages Sysmon EventCode 8 to identify instances where PowerShell spawns threads in processes like svchost.exe, csrss.exe, and others. This activity is significant as it is commonly used by malware such as TrickBot and offensive tools like Cobalt Strike to execute malicious payloads, establish reverse shells, or download additional malware. If confirmed malicious, this behavior could lead to unauthorized code execution, privilege escalation, and persistent access within the environment.

MITRE ATT&CK coverage

Tactic	Techniques
Privilege Escalation	`T1055` Process Injection
Defense Evasion	`T1055` Process Injection

Event coverage

Provider	Event ID	Title
Sysmon	8	CreateRemoteThread

Stages and Predicates

Stage 1: `search`

search EventCode=8 TargetImage IN ("*\\csrss.exe", "*\\explorer.exe", "*\\gpupdate.exe", "*\\services.exe", "*\\smss.exe", "*\\spoolsv.exe", "*\\svchost.exe", "*\\taskhost.exe", "*\\userinit.exe", "*\\wininit.exe", "*\\winlogon.exe") parent_process_name IN ("powershell.exe", "powershell_ise.exe")

Stage 2: `stats`

stats BY EventID, Guid, NewThreadId, ProcessID, SecurityID, SourceImage, SourceProcessGuid, SourceProcessId, StartAddress, StartFunction, StartModule, TargetImage, TargetProcessGuid, TargetProcessId, UserID, dest, parent_process_exec, parent_process_guid, parent_process_id, parent_process_name, parent_process_path, process_exec, process_guid, process_id, process_name, process_path, signature, signature_id, user_id, vendor_product

Stage 3: `search`

search

Stage 4: `search`

search

Stage 5: `search`

search `macro`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`EventCode`	eq	`8` corpus 8 (splunk 8)
`TargetImage`	in	`"\\csrss.exe"` `"\\explorer.exe"` corpus 2 (splunk 2) `"\\gpupdate.exe"` `"\\services.exe"` `"\\smss.exe"` `"\\spoolsv.exe"` corpus 3 (splunk 3) `"\\svchost.exe"` corpus 2 (splunk 2) `"\\taskhost.exe"` `"\\userinit.exe"` `"\\wininit.exe"` `"*\\winlogon.exe"`
`parent_process_name`	in	`"powershell.exe"` corpus 2 (splunk 2) `"powershell_ise.exe"`

Powershell Remote Thread To Known Windows Process

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: search

Stage 2: stats

Stage 3: search