Florian Roth
105 lines
3.5 KiB
YAML
105 lines
3.5 KiB
YAML
title: Suspicious Remote Thread Created
|
|
id: 66d31e5f-52d6-40a4-9615-002d3789a119
|
|
description: Offensive tradecraft is switching away from using APIs like "CreateRemoteThread", however, this is still largely observed in the wild. This rule aims
|
|
to detect suspicious processes (those we would not expect to behave in this way like word.exe or outlook.exe) creating remote threads on other processes. It is
|
|
a generalistic rule, but it should have a low FP ratio due to the selected range of processes.
|
|
notes:
|
|
- MonitoringHost.exe is a process that loads .NET CLR by default and thus a favorite for process injection for .NET in-memory offensive tools.
|
|
status: experimental
|
|
date: 2019/10/27
|
|
modified: 2022/07/31
|
|
author: Perez Diego (@darkquassar), oscd.community
|
|
references:
|
|
- Personal research, statistical analysis
|
|
- https://lolbas-project.github.io
|
|
logsource:
|
|
product: windows
|
|
category: create_remote_thread
|
|
tags:
|
|
- attack.privilege_escalation
|
|
- attack.defense_evasion
|
|
- attack.t1055
|
|
detection:
|
|
selection:
|
|
SourceImage|endswith:
|
|
- '\bash.exe'
|
|
- '\cvtres.exe'
|
|
- '\defrag.exe'
|
|
- '\dnx.exe'
|
|
- '\esentutl.exe'
|
|
- '\excel.exe'
|
|
- '\expand.exe'
|
|
- '\explorer.exe'
|
|
- '\find.exe'
|
|
- '\findstr.exe'
|
|
- '\forfiles.exe'
|
|
# - '\git.exe'
|
|
- '\gpupdate.exe'
|
|
- '\hh.exe'
|
|
- '\iexplore.exe'
|
|
- '\installutil.exe'
|
|
- '\lync.exe'
|
|
- '\makecab.exe'
|
|
- '\mDNSResponder.exe'
|
|
- '\monitoringhost.exe'
|
|
- '\msbuild.exe'
|
|
- '\mshta.exe'
|
|
- '\msiexec.exe'
|
|
- '\mspaint.exe'
|
|
- '\outlook.exe'
|
|
- '\ping.exe'
|
|
- '\powerpnt.exe'
|
|
- '\powershell.exe'
|
|
- '\pwsh.exe'
|
|
- '\provtool.exe'
|
|
- '\python.exe'
|
|
- '\regsvr32.exe'
|
|
- '\robocopy.exe'
|
|
- '\runonce.exe'
|
|
- '\sapcimc.exe'
|
|
- '\schtasks.exe'
|
|
- '\smartscreen.exe'
|
|
- '\spoolsv.exe'
|
|
# - '\taskhost.exe' # disabled due to false positives
|
|
- '\tstheme.exe'
|
|
- '\userinit.exe'
|
|
- '\vssadmin.exe'
|
|
- '\vssvc.exe'
|
|
- '\w3wp.exe'
|
|
- '\winlogon.exe'
|
|
- '\winscp.exe'
|
|
- '\wmic.exe'
|
|
- '\word.exe'
|
|
- '\wscript.exe'
|
|
filter_vs:
|
|
- SourceImage|contains: 'Visual Studio'
|
|
- SourceParentImage|contains: '\Programs\Microsoft VS Code\'
|
|
filter2:
|
|
SourceImage: 'C:\Windows\System32\winlogon.exe'
|
|
TargetImage:
|
|
- 'C:\Windows\System32\services.exe' # happens on Windows 7
|
|
- 'C:\Windows\System32\wininit.exe' # happens on Windows 7
|
|
- 'C:\Windows\System32\csrss.exe' # multiple OS
|
|
filter3:
|
|
SourceImage: 'C:\Windows\System32\provtool.exe'
|
|
TargetParentProcessId: 0
|
|
filter4:
|
|
SourceImage|endswith: '\git.exe'
|
|
TargetImage|endswith:
|
|
- '\git.exe'
|
|
- 'C:\Windows\System32\conhost.exe'
|
|
filter5:
|
|
SourceImage: 'C:\Windows\System32\VSSVC.exe'
|
|
TargetImage: 'System'
|
|
filter_powershell:
|
|
SourceParentImage: 'C:\Windows\System32\CompatTelRunner.exe'
|
|
condition: selection and not 1 of filter*
|
|
fields:
|
|
- ComputerName
|
|
- User
|
|
- SourceImage
|
|
- TargetImage
|
|
level: high
|
|
falsepositives:
|
|
- Unknown
|