/
create_remote_thread_win_susp_relevant_source_image.yml
67 lines (67 loc) · 2.04 KB
/
create_remote_thread_win_susp_relevant_source_image.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
title: Rare Remote Thread Creation By Uncommon Source Image
id: 02d1d718-dd13-41af-989d-ea85c7fab93f
related:
- id: 66d31e5f-52d6-40a4-9615-002d3789a119
type: derived
status: experimental
description: Detects uncommon processes creating remote threads.
references:
- Personal research, statistical analysis
- https://lolbas-project.github.io
author: Perez Diego (@darkquassar), oscd.community
date: 2019/10/27
modified: 2024/01/17
tags:
- attack.privilege_escalation
- attack.defense_evasion
- attack.t1055
logsource:
product: windows
category: create_remote_thread
detection:
selection:
SourceImage|endswith:
- '\bash.exe'
- '\cscript.exe'
- '\cvtres.exe'
- '\defrag.exe'
- '\dnx.exe'
- '\esentutl.exe'
- '\excel.exe'
- '\expand.exe'
- '\find.exe'
- '\findstr.exe'
- '\forfiles.exe'
- '\gpupdate.exe'
- '\hh.exe'
- '\installutil.exe'
- '\lync.exe'
- '\makecab.exe'
- '\mDNSResponder.exe'
- '\monitoringhost.exe' # Loads .NET CLR by default and thus a favorite for process injection for .NET in-memory offensive tools.
- '\msbuild.exe'
- '\mshta.exe'
- '\mspaint.exe'
- '\outlook.exe'
- '\ping.exe'
- '\provtool.exe'
- '\python.exe'
- '\regsvr32.exe'
- '\robocopy.exe'
- '\runonce.exe'
- '\sapcimc.exe'
- '\smartscreen.exe'
- '\spoolsv.exe'
- '\tstheme.exe'
- '\userinit.exe'
- '\vssadmin.exe'
- '\vssvc.exe'
- '\w3wp.exe'
- '\winscp.exe'
- '\winword.exe'
- '\wmic.exe'
- '\wscript.exe'
condition: selection
falsepositives:
- This rule is best put in testing first in order to create a baseline that reflects the data in your environment.
level: high