rules/windows/sysmon/sysmon_createremotethread_loadlibrary.yml

title: CreateRemoteThread API and LoadLibrary
id: 052ec6f6-1adc-41e6-907a-f1c813478bee
description: Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process
status: experimental
date: 2019/08/11
modified: 2020/08/28
author: Roberto Rodriguez @Cyb3rWard0g
references:
    - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1055_process_injection/dll_injection_createremotethread_loadlibrary.md
tags:
    - attack.defense_evasion
    - attack.t1055          # an old one
    - attack.t1055.001
logsource:
    product: windows
    service: sysmon
detection:
    selection: 
        EventID: 8
        StartModule|endswith: '\kernel32.dll'
        StartFunction: 'LoadLibraryA'
    condition: selection
falsepositives:
    - Unknown
level: critical
Removed ATT&CK technique ids from titles and added tags 2020-01-11 00:33:50 +01:00			`title: CreateRemoteThread API and LoadLibrary`
UUIDs + moved unsupported logic 2019-12-19 23:56:36 +01:00			`id: 052ec6f6-1adc-41e6-907a-f1c813478bee`
oscd task #6 done. 2019-11-10 18:43:41 +03:00			`description: Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process`
add win_ad_object_writedac_access.yml, sysmon_createremotethread_loadlibrary.yml, sysmon_rdp_registry_modification.yml; modified win_account_backdoor_dcsync_rights.yml 2019-10-24 14:34:16 +02:00			`status: experimental`
			`date: 2019/08/11`
review windows/sysmon 2020-08-29 02:03:28 +02:00			`modified: 2020/08/28`
add win_ad_object_writedac_access.yml, sysmon_createremotethread_loadlibrary.yml, sysmon_rdp_registry_modification.yml; modified win_account_backdoor_dcsync_rights.yml 2019-10-24 14:34:16 +02:00			`author: Roberto Rodriguez @Cyb3rWard0g`
			`references:`
			`- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1055_process_injection/dll_injection_createremotethread_loadlibrary.md`
Removed ATT&CK technique ids from titles and added tags 2020-01-11 00:33:50 +01:00			`tags:`
			`- attack.defense_evasion`
review windows/sysmon 2020-08-29 02:03:28 +02:00			`- attack.t1055 # an old one`
			`- attack.t1055.001`
add win_ad_object_writedac_access.yml, sysmon_createremotethread_loadlibrary.yml, sysmon_rdp_registry_modification.yml; modified win_account_backdoor_dcsync_rights.yml 2019-10-24 14:34:16 +02:00			`logsource:`
			`product: windows`
			`service: sysmon`
			`detection:`
			`selection:`
			`EventID: 8`
oscd task #6 done. 2019-11-10 18:43:41 +03:00			`StartModule\|endswith: '\kernel32.dll'`
add win_ad_object_writedac_access.yml, sysmon_createremotethread_loadlibrary.yml, sysmon_rdp_registry_modification.yml; modified win_account_backdoor_dcsync_rights.yml 2019-10-24 14:34:16 +02:00			`StartFunction: 'LoadLibraryA'`
			`condition: selection`
			`falsepositives:`
			`- Unknown`
Removed ATT&CK technique ids from titles and added tags 2020-01-11 00:33:50 +01:00			`level: critical`