rules/windows/create_remote_thread/sysmon_createremotethread_loadlibrary.yml

title: CreateRemoteThread API and LoadLibrary
id: 052ec6f6-1adc-41e6-907a-f1c813478bee
description: Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process
status: experimental
date: 2019/08/11
modified: 2020/08/28
author: Roberto Rodriguez @Cyb3rWard0g
references:
    - https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-180719170510.html
tags:
    - attack.defense_evasion
    - attack.t1055          # an old one
    - attack.t1055.001
logsource:
    product: windows
    category: create_remote_thread
detection:
    selection: 
        StartModule|endswith: '\kernel32.dll'
        StartFunction: 'LoadLibraryA'
    condition: selection
falsepositives:
    - Unknown
level: critical
Removed ATT&CK technique ids from titles and added tags 2020-01-11 00:33:50 +01:00			`title: CreateRemoteThread API and LoadLibrary`
UUIDs + moved unsupported logic 2019-12-19 23:56:36 +01:00			`id: 052ec6f6-1adc-41e6-907a-f1c813478bee`
oscd task #6 done. 2019-11-10 18:43:41 +03:00			`description: Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process`
add win_ad_object_writedac_access.yml, sysmon_createremotethread_loadlibrary.yml, sysmon_rdp_registry_modification.yml; modified win_account_backdoor_dcsync_rights.yml 2019-10-24 14:34:16 +02:00			`status: experimental`
			`date: 2019/08/11`
review windows/sysmon 2020-08-29 02:03:28 +02:00			`modified: 2020/08/28`
add win_ad_object_writedac_access.yml, sysmon_createremotethread_loadlibrary.yml, sysmon_rdp_registry_modification.yml; modified win_account_backdoor_dcsync_rights.yml 2019-10-24 14:34:16 +02:00			`author: Roberto Rodriguez @Cyb3rWard0g`
			`references:`
Update Threat Hunter Playbook Reference 2021-05-22 01:00:39 -03:00			`- https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-180719170510.html`
Removed ATT&CK technique ids from titles and added tags 2020-01-11 00:33:50 +01:00			`tags:`
			`- attack.defense_evasion`
review windows/sysmon 2020-08-29 02:03:28 +02:00			`- attack.t1055 # an old one`
			`- attack.t1055.001`
add win_ad_object_writedac_access.yml, sysmon_createremotethread_loadlibrary.yml, sysmon_rdp_registry_modification.yml; modified win_account_backdoor_dcsync_rights.yml 2019-10-24 14:34:16 +02:00			`logsource:`
			`product: windows`
- Created new categories for sysmon events 2020-09-30 20:44:14 +02:00			`category: create_remote_thread`
add win_ad_object_writedac_access.yml, sysmon_createremotethread_loadlibrary.yml, sysmon_rdp_registry_modification.yml; modified win_account_backdoor_dcsync_rights.yml 2019-10-24 14:34:16 +02:00			`detection:`
			`selection:`
oscd task #6 done. 2019-11-10 18:43:41 +03:00			`StartModule\|endswith: '\kernel32.dll'`
add win_ad_object_writedac_access.yml, sysmon_createremotethread_loadlibrary.yml, sysmon_rdp_registry_modification.yml; modified win_account_backdoor_dcsync_rights.yml 2019-10-24 14:34:16 +02:00			`StartFunction: 'LoadLibraryA'`
			`condition: selection`
			`falsepositives:`
			`- Unknown`
Removed ATT&CK technique ids from titles and added tags 2020-01-11 00:33:50 +01:00			`level: critical`