detection.wiki

Detection rules › Sigma

Rare Remote Thread Creation By Uncommon Source Image

Status
test
Severity
high
Log source
product windows, category create_remote_thread
Author
Perez Diego (@darkquassar), oscd.community
Source
github.com/SigmaHQ/sigma

Detects uncommon processes creating remote threads.

MITRE ATT&CK coverage

TacticTechniques
Privilege EscalationT1055 Process Injection
StealthT1055 Process Injection

Event coverage

ProviderEventTitle
SysmonEvent ID 8CreateRemoteThread

Rule body yaml

title: Rare Remote Thread Creation By Uncommon Source Image
id: 02d1d718-dd13-41af-989d-ea85c7fab93f
related:
    - id: 66d31e5f-52d6-40a4-9615-002d3789a119
      type: derived
status: test
description: Detects uncommon processes creating remote threads.
references:
    - Personal research, statistical analysis
    - https://lolbas-project.github.io
author: Perez Diego (@darkquassar), oscd.community
date: 2019-10-27
modified: 2025-12-08
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055
logsource:
    product: windows
    category: create_remote_thread
detection:
    selection:
        SourceImage|endswith:
            - '\bash.exe'
            - '\cscript.exe'
            - '\cvtres.exe'
            - '\defrag.exe'
            - '\dialer.exe'
            - '\dnx.exe'
            - '\esentutl.exe'
            - '\excel.exe'
            - '\expand.exe'
            - '\find.exe'
            - '\findstr.exe'
            - '\forfiles.exe'
            - '\gpupdate.exe'
            - '\hh.exe'
            - '\installutil.exe'
            - '\lync.exe'
            - '\makecab.exe'
            - '\mDNSResponder.exe'
            - '\monitoringhost.exe' # Loads .NET CLR by default and thus a favorite for process injection for .NET in-memory offensive tools.
            - '\msbuild.exe'
            - '\mshta.exe'
            - '\mspaint.exe'
            - '\outlook.exe'
            - '\ping.exe'
            - '\provtool.exe'
            - '\python.exe'
            - '\regsvr32.exe'
            - '\robocopy.exe'
            - '\runonce.exe'
            - '\sapcimc.exe'
            - '\smartscreen.exe'
            - '\spoolsv.exe'
            - '\tstheme.exe'
            - '\userinit.exe'
            - '\vssadmin.exe'
            - '\vssvc.exe'
            - '\w3wp.exe'
            - '\winscp.exe'
            - '\winword.exe'
            - '\wmic.exe'
            - '\wscript.exe'
    filter_main_conhost:
        SourceImage:
            - 'C:\Windows\System32\Defrag.exe'
            - 'C:\Windows\System32\makecab.exe'
        TargetImage: 'C:\Windows\System32\conhost.exe'
    filter_main_provtol_svchost:
        SourceImage: 'C:\Windows\System32\provtool.exe'
        TargetImage: 'C:\Windows\System32\svchost.exe'
    filter_main_provtool_system:
        SourceImage: 'C:\Windows\System32\provtool.exe'
        TargetImage: 'System'
    filter_main_userinit:
        SourceImage: 'C:\Windows\System32\userinit.exe'
        TargetImage: 'C:\Windows\explorer.exe'
    filter_main_winword:
        SourceImage|endswith: '\WINWORD.EXE'
        TargetImage|startswith:
            - 'C:\Program Files (x86)\' # C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            - 'C:\Program Files\' # C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exe
    filter_main_ms_office:
        # Raised by following issue: https://github.com/SigmaHQ/sigma/issues/5529
        SourceImage|startswith:
            - 'C:\Program Files\Microsoft Office\'
            - 'C:\Program Files (x86)\Microsoft Office\'
        TargetImage: 'System'
    filter_optional_explorer_vmtools:
        SourceImage|endswith: '\SysWOW64\explorer.exe'
        TargetImage:
            - 'C:\Program Files (x86)\VMware\VMware Tools\vmtoolsd.exe'
            - 'C:\Program Files\VMware\VMware Tools\vmtoolsd.exe'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - This rule is best put in testing first in order to create a baseline that reflects the data in your environment.
level: high

Stages and Predicates

Stage 0: condition

selection and not 1 of filter_main_* and not 1 of filter_optional_*

Stage 1: selection

selection:
    SourceImage|endswith:
        - '\bash.exe'
        - '\cscript.exe'
        - '\cvtres.exe'
        - '\defrag.exe'
        - '\dialer.exe'
        - '\dnx.exe'
        - '\esentutl.exe'
        - '\excel.exe'
        - '\expand.exe'
        - '\find.exe'
        - '\findstr.exe'
        - '\forfiles.exe'
        - '\gpupdate.exe'
        - '\hh.exe'
        - '\installutil.exe'
        - '\lync.exe'
        - '\makecab.exe'
        - '\mDNSResponder.exe'
        - '\monitoringhost.exe'
        - '\msbuild.exe'
        - '\mshta.exe'
        - '\mspaint.exe'
        - '\outlook.exe'
        - '\ping.exe'
        - '\provtool.exe'
        - '\python.exe'
        - '\regsvr32.exe'
        - '\robocopy.exe'
        - '\runonce.exe'
        - '\sapcimc.exe'
        - '\smartscreen.exe'
        - '\spoolsv.exe'
        - '\tstheme.exe'
        - '\userinit.exe'
        - '\vssadmin.exe'
        - '\vssvc.exe'
        - '\w3wp.exe'
        - '\winscp.exe'
        - '\winword.exe'
        - '\wmic.exe'
        - '\wscript.exe'

Stage 2: not filter_main_*

filter_main_conhost:
    SourceImage:
        - 'C:\Windows\System32\Defrag.exe'
        - 'C:\Windows\System32\makecab.exe'
    TargetImage: 'C:\Windows\System32\conhost.exe'
filter_main_provtol_svchost:
    SourceImage: 'C:\Windows\System32\provtool.exe'
    TargetImage: 'C:\Windows\System32\svchost.exe'
filter_main_provtool_system:
    SourceImage: 'C:\Windows\System32\provtool.exe'
    TargetImage: 'System'
filter_main_userinit:
    SourceImage: 'C:\Windows\System32\userinit.exe'
    TargetImage: 'C:\Windows\explorer.exe'
filter_main_winword:
    SourceImage|endswith: '\WINWORD.EXE'
    TargetImage|startswith:
        - 'C:\Program Files (x86)\'
        - 'C:\Program Files\'
filter_main_ms_office:
    SourceImage|startswith:
        - 'C:\Program Files\Microsoft Office\'
        - 'C:\Program Files (x86)\Microsoft Office\'
    TargetImage: 'System'

Stage 3: not filter_optional_explorer_vmtools

filter_optional_explorer_vmtools:
    SourceImage|endswith: '\SysWOW64\explorer.exe'
    TargetImage:
        - 'C:\Program Files (x86)\VMware\VMware Tools\vmtoolsd.exe'
        - 'C:\Program Files\VMware\VMware Tools\vmtoolsd.exe'

Exclusions

Top-level NOT(...) conjuncts: predicates this rule actively suppresses.

FieldKindExcluded values
SourceImageeqC:\Windows\System32\Defrag.exe
SourceImageeqC:\Windows\System32\makecab.exe
TargetImageeqC:\Windows\System32\conhost.exe
SourceImagestarts_withC:\Program Files (x86)\Microsoft Office\
SourceImagestarts_withC:\Program Files\Microsoft Office\
TargetImageeqSystem
TargetImagestarts_withC:\Program Files (x86)\
TargetImagestarts_withC:\Program Files\
SourceImageends_with\WINWORD.EXE
SourceImageeqC:\Windows\System32\provtool.exe
TargetImageeqC:\Windows\System32\svchost.exe
SourceImageeqC:\Windows\System32\provtool.exe
TargetImageeqSystem
SourceImageeqC:\Windows\System32\userinit.exe
TargetImageeqC:\Windows\explorer.exe
TargetImageeqC:\Program Files (x86)\VMware\VMware Tools\vmtoolsd.exe
TargetImageeqC:\Program Files\VMware\VMware Tools\vmtoolsd.exe
SourceImageends_with\SysWOW64\explorer.exe

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
SourceImageends_with
  • \bash.exe corpus 22 (sigma 22)
  • \cscript.exe corpus 73 (sigma 73)
  • \cvtres.exe corpus 2 (sigma 2)
  • \defrag.exe corpus 2 (sigma 2)
  • \dialer.exe
  • \dnx.exe corpus 3 (sigma 3)
  • \esentutl.exe corpus 8 (sigma 8)
  • \excel.exe corpus 18 (sigma 18)
  • \expand.exe corpus 3 (sigma 3)
  • \find.exe corpus 8 (sigma 8)
  • \findstr.exe corpus 12 (sigma 12)
  • \forfiles.exe corpus 12 (sigma 12)
  • \gpupdate.exe corpus 2 (sigma 2)
  • \hh.exe corpus 16 (sigma 16)
  • \installutil.exe corpus 9 (sigma 9)
  • \lync.exe
  • \mDNSResponder.exe
  • \makecab.exe corpus 5 (sigma 5)
  • \monitoringhost.exe corpus 2 (sigma 2)
  • \msbuild.exe corpus 10 (sigma 10)
  • \mshta.exe corpus 67 (sigma 67)
  • \mspaint.exe
  • \outlook.exe corpus 14 (sigma 14)
  • \ping.exe corpus 7 (sigma 7)
  • \provtool.exe
  • \python.exe corpus 5 (sigma 5)
  • \regsvr32.exe corpus 65 (sigma 65)
  • \robocopy.exe corpus 5 (sigma 5)
  • \runonce.exe corpus 4 (sigma 4)
  • \sapcimc.exe
  • \smartscreen.exe corpus 2 (sigma 2)
  • \spoolsv.exe corpus 4 (sigma 4)
  • \tstheme.exe
  • \userinit.exe corpus 2 (sigma 2)
  • \vssadmin.exe corpus 6 (sigma 6)
  • \vssvc.exe
  • \w3wp.exe corpus 6 (sigma 6)
  • \winscp.exe corpus 3 (sigma 3)
  • \winword.exe corpus 20 (sigma 20)
  • \wmic.exe corpus 60 (sigma 60)
  • \wscript.exe corpus 75 (sigma 75)