rules/windows/create_remote_thread/sysmon_createremotethread_loadlibrary.yml

title: CreateRemoteThread API and LoadLibrary
id: 052ec6f6-1adc-41e6-907a-f1c813478bee
status: test
description: Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process
author: Roberto Rodriguez @Cyb3rWard0g
references:
  - https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-180719170510.html
date: 2019/08/11
modified: 2021/11/27
logsource:
  product: windows
  category: create_remote_thread
detection:
  selection:
    StartModule|endswith: '\kernel32.dll'
    StartFunction: 'LoadLibraryA'
  condition: selection
falsepositives:
  - Unknown
level: critical
tags:
  - attack.defense_evasion
  - attack.t1055.001
Removed ATT&CK technique ids from titles and added tags 2020-01-11 00:33:50 +01:00			`title: CreateRemoteThread API and LoadLibrary`
UUIDs + moved unsupported logic 2019-12-19 23:56:36 +01:00			`id: 052ec6f6-1adc-41e6-907a-f1c813478bee`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`status: test`
oscd task #6 done. 2019-11-10 18:43:41 +03:00			`description: Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process`
add win_ad_object_writedac_access.yml, sysmon_createremotethread_loadlibrary.yml, sysmon_rdp_registry_modification.yml; modified win_account_backdoor_dcsync_rights.yml 2019-10-24 14:34:16 +02:00			`author: Roberto Rodriguez @Cyb3rWard0g`
			`references:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`- https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-180719170510.html`
			`date: 2019/08/11`
			`modified: 2021/11/27`
add win_ad_object_writedac_access.yml, sysmon_createremotethread_loadlibrary.yml, sysmon_rdp_registry_modification.yml; modified win_account_backdoor_dcsync_rights.yml 2019-10-24 14:34:16 +02:00			`logsource:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`product: windows`
			`category: create_remote_thread`
add win_ad_object_writedac_access.yml, sysmon_createremotethread_loadlibrary.yml, sysmon_rdp_registry_modification.yml; modified win_account_backdoor_dcsync_rights.yml 2019-10-24 14:34:16 +02:00			`detection:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`selection:`
			`StartModule\|endswith: '\kernel32.dll'`
			`StartFunction: 'LoadLibraryA'`
			`condition: selection`
add win_ad_object_writedac_access.yml, sysmon_createremotethread_loadlibrary.yml, sysmon_rdp_registry_modification.yml; modified win_account_backdoor_dcsync_rights.yml 2019-10-24 14:34:16 +02:00			`falsepositives:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`- Unknown`
Removed ATT&CK technique ids from titles and added tags 2020-01-11 00:33:50 +01:00			`level: critical`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`tags:`
			`- attack.defense_evasion`
			`- attack.t1055.001`