security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
da54e89f3045fdf23daa2dbdfd712aceb393ae90
blue-team-tools/rules/windows/sysmon/sysmon_createremotethread_loadlibrary.yml
T
Thomas Patzke ae6fcefbcd Removed ATT&CK technique ids from titles and added tags
2020-01-11 00:33:50 +01:00

25 lines
799 B
YAML
Raw Blame History

title: CreateRemoteThread API and LoadLibrary
id: 052ec6f6-1adc-41e6-907a-f1c813478bee
description: Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process
status: experimental
date: 2019/08/11
modified: 2019/11/10
author: Roberto Rodriguez @Cyb3rWard0g
references:
- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1055_process_injection/dll_injection_createremotethread_loadlibrary.md
tags:
- attack.defense_evasion
- attack.t1055
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 8
StartModule|endswith: '\kernel32.dll'
StartFunction: 'LoadLibraryA'
condition: selection
falsepositives:
- Unknown
level: critical
Reference in New Issue View Git Blame Copy Permalink