mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-09 02:26:48 +00:00
85 lines
2.7 KiB
YAML
85 lines
2.7 KiB
YAML
title: Suspicious Remote Thread Created
|
|
id: 66d31e5f-52d6-40a4-9615-002d3789a119
|
|
description: Offensive tradecraft is switching away from using APIs like "CreateRemoteThread", however, this is still largely observed in the wild. This rule aims
|
|
to detect suspicious processes (those we would not expect to behave in this way like word.exe or outlook.exe) creating remote threads on other processes. It is
|
|
a generalistic rule, but it should have a low FP ratio due to the selected range of processes.
|
|
notes:
|
|
- MonitoringHost.exe is a process that loads .NET CLR by default and thus a favorite for process injection for .NET in-memory offensive tools.
|
|
status: experimental
|
|
date: 2019/10/27
|
|
modified: 2020/08/28
|
|
author: Perez Diego (@darkquassar), oscd.community
|
|
references:
|
|
- Personal research, statistical analysis
|
|
- https://lolbas-project.github.io
|
|
logsource:
|
|
product: windows
|
|
service: sysmon
|
|
tags:
|
|
- attack.privilege_escalation
|
|
- attack.defense_evasion
|
|
- attack.t1055
|
|
detection:
|
|
selection:
|
|
EventID: 8
|
|
SourceImage|endswith:
|
|
- '\bash.exe'
|
|
- '\cvtres.exe'
|
|
- '\defrag.exe'
|
|
- '\dnx.exe'
|
|
- '\esentutl.exe'
|
|
- '\excel.exe'
|
|
- '\expand.exe'
|
|
- '\explorer.exe'
|
|
- '\find.exe'
|
|
- '\findstr.exe'
|
|
- '\forfiles.exe'
|
|
- '\git.exe'
|
|
- '\gpupdate.exe'
|
|
- '\hh.exe'
|
|
- '\iexplore.exe'
|
|
- '\installutil.exe'
|
|
- '\lync.exe'
|
|
- '\makecab.exe'
|
|
- '\mDNSResponder.exe'
|
|
- '\monitoringhost.exe'
|
|
- '\msbuild.exe'
|
|
- '\mshta.exe'
|
|
- '\msiexec.exe'
|
|
- '\mspaint.exe'
|
|
- '\outlook.exe'
|
|
- '\ping.exe'
|
|
- '\powerpnt.exe'
|
|
- '\powershell.exe'
|
|
- '\provtool.exe'
|
|
- '\python.exe'
|
|
- '\regsvr32.exe'
|
|
- '\robocopy.exe'
|
|
- '\runonce.exe'
|
|
- '\sapcimc.exe'
|
|
- '\schtasks.exe'
|
|
- '\smartscreen.exe'
|
|
- '\spoolsv.exe'
|
|
# - '\taskhost.exe' # disabled due to false positives
|
|
- '\tstheme.exe'
|
|
- '\userinit.exe'
|
|
- '\vssadmin.exe'
|
|
- '\vssvc.exe'
|
|
- '\w3wp.exe*'
|
|
- '\winlogon.exe'
|
|
- '\winscp.exe'
|
|
- '\wmic.exe'
|
|
- '\word.exe'
|
|
- '\wscript.exe'
|
|
filter:
|
|
SourceImage|contains: 'Visual Studio'
|
|
condition: selection AND NOT filter
|
|
fields:
|
|
- ComputerName
|
|
- User
|
|
- SourceImage
|
|
- TargetImage
|
|
level: high
|
|
falsepositives:
|
|
- Unknown
|