SigmaHQ/rules/windows/sysmon/sysmon_suspicious_remote_thread.yml

title: Suspicious Remote Thread Created
id: 66d31e5f-52d6-40a4-9615-002d3789a119
description: Offensive tradecraft is switching away from using APIs like "CreateRemoteThread", however, this is still largely observed in the wild. This rule aims
    to detect suspicious processes (those we would not expect to behave in this way like word.exe or outlook.exe) creating remote threads on other processes. It is
    a generalistic rule, but it should have a low FP ratio due to the selected range of processes.
notes:
    - MonitoringHost.exe is a process that loads .NET CLR by default and thus a favorite for process injection for .NET in-memory offensive tools.
status: experimental
date: 2019/10/27
modified: 2020/08/28
author: Perez Diego (@darkquassar), oscd.community
references:
    - Personal research, statistical analysis
    - https://lolbas-project.github.io
logsource:
    product: windows
    service: sysmon
tags:
    - attack.privilege_escalation
    - attack.defense_evasion
    - attack.t1055
detection:
    selection: 
        EventID: 8
        SourceImage|endswith:
            - '\bash.exe'
            - '\cvtres.exe'
            - '\defrag.exe'
            - '\dnx.exe'
            - '\esentutl.exe'
            - '\excel.exe'
            - '\expand.exe'
            - '\explorer.exe'
            - '\find.exe'
            - '\findstr.exe'
            - '\forfiles.exe'
            - '\git.exe'
            - '\gpupdate.exe'
            - '\hh.exe'
            - '\iexplore.exe'
            - '\installutil.exe'
            - '\lync.exe'
            - '\makecab.exe'
            - '\mDNSResponder.exe'
            - '\monitoringhost.exe'
            - '\msbuild.exe'
            - '\mshta.exe'
            - '\msiexec.exe'
            - '\mspaint.exe'
            - '\outlook.exe'
            - '\ping.exe'
            - '\powerpnt.exe'
            - '\powershell.exe'
            - '\provtool.exe'
            - '\python.exe'
            - '\regsvr32.exe'
            - '\robocopy.exe'
            - '\runonce.exe'
            - '\sapcimc.exe'
            - '\schtasks.exe'
            - '\smartscreen.exe'
            - '\spoolsv.exe'
            # - '\taskhost.exe'  # disabled due to false positives
            - '\tstheme.exe'
            - '\userinit.exe'
            - '\vssadmin.exe'
            - '\vssvc.exe'
            - '\w3wp.exe*'       
            - '\winlogon.exe'
            - '\winscp.exe'
            - '\wmic.exe'
            - '\word.exe'
            - '\wscript.exe'
    filter:
        SourceImage|contains: 'Visual Studio'
    condition: selection AND NOT filter
fields:
    - ComputerName
    - User
    - SourceImage
    - TargetImage
level: high
falsepositives:
    - Unknown
New rule Suspicious Remote Thread Created 2019-10-29 05:12:57 +00:00			`title: Suspicious Remote Thread Created`
UUIDs + moved unsupported logic * Added UUIDs to all contributed rules * Moved unsupported logic directory out of rules/ because this breaks CI testing. 2019-12-19 22:56:36 +00:00			`id: 66d31e5f-52d6-40a4-9615-002d3789a119`
			`description: Offensive tradecraft is switching away from using APIs like "CreateRemoteThread", however, this is still largely observed in the wild. This rule aims`
			`to detect suspicious processes (those we would not expect to behave in this way like word.exe or outlook.exe) creating remote threads on other processes. It is`
			`a generalistic rule, but it should have a low FP ratio due to the selected range of processes.`
			`notes:`
New rule Suspicious Remote Thread Created 2019-10-29 05:12:57 +00:00			`- MonitoringHost.exe is a process that loads .NET CLR by default and thus a favorite for process injection for .NET in-memory offensive tools.`
			`status: experimental`
Date typos...more than I thought... 2020-04-02 08:00:00 +00:00			`date: 2019/10/27`
review windows/sysmon 2020-08-29 00:03:28 +00:00			`modified: 2020/08/28`
New rule Suspicious Remote Thread Created 2019-10-29 05:12:57 +00:00			`author: Perez Diego (@darkquassar), oscd.community`
			`references:`
			`- Personal research, statistical analysis`
			`- https://lolbas-project.github.io`
			`logsource:`
			`product: windows`
			`service: sysmon`
			`tags:`
			`- attack.privilege_escalation`
review windows/sysmon 2020-08-29 00:03:28 +00:00			`- attack.defense_evasion`
fix issues with wrong tagging 2019-12-14 23:17:22 +00:00			`- attack.t1055`
New rule Suspicious Remote Thread Created 2019-10-29 05:12:57 +00:00			`detection:`
			`selection:`
			`EventID: 8`
Update sysmon_suspicious_remote_thread.yml 2019-11-13 21:34:09 +00:00			`SourceImage\|endswith:`
			`- '\bash.exe'`
			`- '\cvtres.exe'`
OSCD QA wave 2 * Improved rules * Added filtering * Adjusted severity 2020-01-17 14:46:28 +00:00			`- '\defrag.exe'`
			`- '\dnx.exe'`
Update sysmon_suspicious_remote_thread.yml 2019-11-13 21:34:09 +00:00			`- '\esentutl.exe'`
OSCD QA wave 2 * Improved rules * Added filtering * Adjusted severity 2020-01-17 14:46:28 +00:00			`- '\excel.exe'`
Update sysmon_suspicious_remote_thread.yml 2019-11-13 21:34:09 +00:00			`- '\expand.exe'`
OSCD QA wave 2 * Improved rules * Added filtering * Adjusted severity 2020-01-17 14:46:28 +00:00			`- '\explorer.exe'`
			`- '\find.exe'`
			`- '\findstr.exe'`
Update sysmon_suspicious_remote_thread.yml 2019-11-13 21:34:09 +00:00			`- '\forfiles.exe'`
OSCD QA wave 2 * Improved rules * Added filtering * Adjusted severity 2020-01-17 14:46:28 +00:00			`- '\git.exe'`
			`- '\gpupdate.exe'`
Update sysmon_suspicious_remote_thread.yml 2019-11-13 21:34:09 +00:00			`- '\hh.exe'`
OSCD QA wave 2 * Improved rules * Added filtering * Adjusted severity 2020-01-17 14:46:28 +00:00			`- '\iexplore.exe'`
Update sysmon_suspicious_remote_thread.yml 2019-11-13 21:34:09 +00:00			`- '\installutil.exe'`
OSCD QA wave 2 * Improved rules * Added filtering * Adjusted severity 2020-01-17 14:46:28 +00:00			`- '\lync.exe'`
Update sysmon_suspicious_remote_thread.yml 2019-11-13 21:34:09 +00:00			`- '\makecab.exe'`
OSCD QA wave 2 * Improved rules * Added filtering * Adjusted severity 2020-01-17 14:46:28 +00:00			`- '\mDNSResponder.exe'`
			`- '\monitoringhost.exe'`
			`- '\msbuild.exe'`
Update sysmon_suspicious_remote_thread.yml 2019-11-13 21:34:09 +00:00			`- '\mshta.exe'`
OSCD QA wave 2 * Improved rules * Added filtering * Adjusted severity 2020-01-17 14:46:28 +00:00			`- '\msiexec.exe'`
			`- '\mspaint.exe'`
			`- '\outlook.exe'`
			`- '\ping.exe'`
			`- '\powerpnt.exe'`
			`- '\powershell.exe'`
			`- '\provtool.exe'`
			`- '\python.exe'`
Update sysmon_suspicious_remote_thread.yml 2019-11-13 21:34:09 +00:00			`- '\regsvr32.exe'`
OSCD QA wave 2 * Improved rules * Added filtering * Adjusted severity 2020-01-17 14:46:28 +00:00			`- '\robocopy.exe'`
			`- '\runonce.exe'`
			`- '\sapcimc.exe'`
Update sysmon_suspicious_remote_thread.yml 2019-11-13 21:34:09 +00:00			`- '\schtasks.exe'`
OSCD QA wave 2 * Improved rules * Added filtering * Adjusted severity 2020-01-17 14:46:28 +00:00			`- '\smartscreen.exe'`
			`- '\spoolsv.exe'`
fixing false positives 2020-02-26 08:33:55 +00:00			`# - '\taskhost.exe' # disabled due to false positives`
Update sysmon_suspicious_remote_thread.yml 2019-11-13 21:34:09 +00:00			`- '\tstheme.exe'`
OSCD QA wave 2 * Improved rules * Added filtering * Adjusted severity 2020-01-17 14:46:28 +00:00			`- '\userinit.exe'`
			`- '\vssadmin.exe'`
			`- '\vssvc.exe'`
			`- '\w3wp.exe*'`
			`- '\winlogon.exe'`
			`- '\winscp.exe'`
			`- '\wmic.exe'`
			`- '\word.exe'`
			`- '\wscript.exe'`
New rule Suspicious Remote Thread Created 2019-10-29 05:12:57 +00:00			`filter:`
Update sysmon_suspicious_remote_thread.yml 2019-11-13 21:34:09 +00:00			`SourceImage\|contains: 'Visual Studio'`
New rule Suspicious Remote Thread Created 2019-10-29 05:12:57 +00:00			`condition: selection AND NOT filter`
OSCD QA wave 1 * Checked all rules against Mordor and EVTX samples datasets * Added field names * Some severity adjustments * Fixes 2020-01-10 23:11:27 +00:00			`fields:`
			`- ComputerName`
			`- User`
			`- SourceImage`
			`- TargetImage`
New rule Suspicious Remote Thread Created 2019-10-29 05:12:57 +00:00			`level: high`
			`falsepositives:`
			`- Unknown`