Detection rules › Sigma
Remote Thread Creation By Uncommon Source Image
Detects uncommon processes creating remote threads.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Privilege Escalation | T1055 Process Injection |
| Stealth | T1055 Process Injection |
Event coverage
| Provider | Event | Title |
|---|---|---|
| Sysmon | Event ID 8 | CreateRemoteThread |
Rule body yaml
title: Remote Thread Creation By Uncommon Source Image
id: 66d31e5f-52d6-40a4-9615-002d3789a119
related:
- id: 02d1d718-dd13-41af-989d-ea85c7fab93f
type: derived
status: test
description: Detects uncommon processes creating remote threads.
references:
- Personal research, statistical analysis
- https://lolbas-project.github.io
author: Perez Diego (@darkquassar), oscd.community
date: 2019-10-27
modified: 2025-07-08
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1055
logsource:
product: windows
category: create_remote_thread
detection:
selection:
SourceImage|endswith:
- '\explorer.exe'
- '\iexplore.exe'
- '\msiexec.exe'
- '\powerpnt.exe'
- '\schtasks.exe'
- '\winlogon.exe'
filter_main_winlogon_1:
SourceImage: 'C:\Windows\System32\winlogon.exe'
TargetImage:
- 'C:\Windows\System32\services.exe' # happens on Windows 7
- 'C:\Windows\System32\wininit.exe' # happens on Windows 7
- 'C:\Windows\System32\csrss.exe' # multiple OS
- 'C:\Windows\System32\LogonUI.exe' # multiple OS
- 'C:\Windows\System32\wlrmdr.exe'
- 'C:\Windows\System32\AtBroker.exe'
- 'C:\Windows\System32\dwm.exe'
- 'C:\Windows\System32\fontdrvhost.exe'
- 'C:\Windows\System32\userinit.exe'
filter_main_winlogon_2:
SourceImage: 'C:\Windows\System32\winlogon.exe'
TargetParentProcessId: 4
filter_main_schtasks_conhost:
SourceImage:
- 'C:\Windows\System32\schtasks.exe'
- 'C:\Windows\SysWOW64\schtasks.exe'
TargetImage: 'C:\Windows\System32\conhost.exe'
filter_main_explorer:
SourceImage: 'C:\Windows\explorer.exe'
TargetImage|startswith:
- 'C:\Program Files (x86)\'
- 'C:\Program Files\'
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
filter_main_system:
TargetImage: 'System'
filter_main_msiexec_1:
# Note: MSI installers will trigger this
SourceImage|endswith: '\msiexec.exe'
TargetImage|contains:
- '\AppData\Local\'
- 'C:\Program Files (x86)\'
- 'C:\Program Files\'
- 'C:\Windows\Microsoft.NET\Framework64\' # C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
filter_main_msiexec_2:
SourceImage|endswith: '\msiexec.exe'
TargetImage:
- 'C:\Windows\System32\msiexec.exe'
- 'C:\Windows\SysWOW64\msiexec.exe'
filter_main_iexplore:
SourceImage: 'C:\Program Files\Internet Explorer\iexplore.exe'
TargetImage:
- 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
- 'C:\Windows\System32\rundll32.exe'
filter_main_powerpnt:
SourceImage|endswith: '\POWERPNT.EXE'
TargetImage|contains:
- 'C:\Program Files\Microsoft Office\' # C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exe
- 'C:\Program Files (x86)\Microsoft Office\'
filter_optional_aurora_smartconsole1:
SourceImage: 'C:\Program Files\internet explorer\iexplore.exe'
SourceCommandLine|contains|all:
- 'https://'
- '.checkpoint.com/documents/'
- 'SmartConsole_OLH/'
- 'default.htm#cshid='
filter_optional_aurora_smartconsole2:
SourceImage: 'C:\Program Files\internet explorer\iexplore.exe'
SourceParentImage|startswith:
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
SourceParentImage|contains|all:
- '\CheckPoint\SmartConsole\'
- '\SmartConsole.exe'
filter_optional_powerpnt:
# Raised by the following issue: https://github.com/SigmaHQ/sigma/issues/2479
SourceImage|contains: '\Microsoft Office\'
SourceImage|endswith: '\POWERPNT.EXE'
TargetImage: 'C:\Windows\System32\csrss.exe'
filter_main_null:
TargetImage: null
filter_main_empty:
TargetImage: ''
filter_optional_onedrive:
SourceImage: 'C:\Windows\explorer.exe'
TargetImage|endswith: '\AppData\Local\Microsoft\OneDrive\OneDrive.exe'
filter_optional_aurora:
SourceImage: 'C:\Windows\explorer.exe'
TargetImage|endswith: '\aurora-dashboard.exe'
filter_optional_officesetup:
SourceImage: 'C:\Windows\explorer.exe'
TargetImage|endswith: '\OfficeSetup.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- This rule is best put in testing first in order to create a baseline that reflects the data in your environment.
level: medium
Stages and Predicates
Stage 0: condition
selection and not 1 of filter_main_* and not 1 of filter_optional_*Stage 1: selection
selection:
SourceImage|endswith:
- '\explorer.exe'
- '\iexplore.exe'
- '\msiexec.exe'
- '\powerpnt.exe'
- '\schtasks.exe'
- '\winlogon.exe'
Stage 2: not filter_main_*
filter_main_winlogon_1:
SourceImage: 'C:\Windows\System32\winlogon.exe'
TargetImage:
- 'C:\Windows\System32\services.exe'
- 'C:\Windows\System32\wininit.exe'
- 'C:\Windows\System32\csrss.exe'
- 'C:\Windows\System32\LogonUI.exe'
- 'C:\Windows\System32\wlrmdr.exe'
- 'C:\Windows\System32\AtBroker.exe'
- 'C:\Windows\System32\dwm.exe'
- 'C:\Windows\System32\fontdrvhost.exe'
- 'C:\Windows\System32\userinit.exe'
filter_main_winlogon_2:
SourceImage: 'C:\Windows\System32\winlogon.exe'
TargetParentProcessId: 4
filter_main_schtasks_conhost:
SourceImage:
- 'C:\Windows\System32\schtasks.exe'
- 'C:\Windows\SysWOW64\schtasks.exe'
TargetImage: 'C:\Windows\System32\conhost.exe'
filter_main_explorer:
SourceImage: 'C:\Windows\explorer.exe'
TargetImage|startswith:
- 'C:\Program Files (x86)\'
- 'C:\Program Files\'
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
filter_main_system:
TargetImage: 'System'
filter_main_msiexec_1:
SourceImage|endswith: '\msiexec.exe'
TargetImage|contains:
- '\AppData\Local\'
- 'C:\Program Files (x86)\'
- 'C:\Program Files\'
- 'C:\Windows\Microsoft.NET\Framework64\'
filter_main_msiexec_2:
SourceImage|endswith: '\msiexec.exe'
TargetImage:
- 'C:\Windows\System32\msiexec.exe'
- 'C:\Windows\SysWOW64\msiexec.exe'
filter_main_iexplore:
SourceImage: 'C:\Program Files\Internet Explorer\iexplore.exe'
TargetImage:
- 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
- 'C:\Windows\System32\rundll32.exe'
filter_main_powerpnt:
SourceImage|endswith: '\POWERPNT.EXE'
TargetImage|contains:
- 'C:\Program Files\Microsoft Office\'
- 'C:\Program Files (x86)\Microsoft Office\'
filter_main_null:
TargetImage: null
filter_main_empty:
TargetImage: ''
Stage 3: not filter_optional_*
filter_optional_aurora_smartconsole1:
SourceImage: 'C:\Program Files\internet explorer\iexplore.exe'
SourceCommandLine|contains|all:
- 'https://'
- '.checkpoint.com/documents/'
- 'SmartConsole_OLH/'
- 'default.htm#cshid='
filter_optional_aurora_smartconsole2:
SourceImage: 'C:\Program Files\internet explorer\iexplore.exe'
SourceParentImage|startswith:
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
SourceParentImage|contains|all:
- '\CheckPoint\SmartConsole\'
- '\SmartConsole.exe'
filter_optional_powerpnt:
SourceImage|contains: '\Microsoft Office\'
SourceImage|endswith: '\POWERPNT.EXE'
TargetImage: 'C:\Windows\System32\csrss.exe'
filter_optional_onedrive:
SourceImage: 'C:\Windows\explorer.exe'
TargetImage|endswith: '\AppData\Local\Microsoft\OneDrive\OneDrive.exe'
filter_optional_aurora:
SourceImage: 'C:\Windows\explorer.exe'
TargetImage|endswith: '\aurora-dashboard.exe'
filter_optional_officesetup:
SourceImage: 'C:\Windows\explorer.exe'
TargetImage|endswith: '\OfficeSetup.exe'
Exclusions
Top-level NOT(...) conjuncts: predicates this rule actively suppresses.
| Field | Kind | Excluded values |
|---|---|---|
SourceImage | eq | C:\Windows\SysWOW64\schtasks.exe |
SourceImage | eq | C:\Windows\System32\schtasks.exe |
TargetImage | eq | C:\Windows\System32\conhost.exe |
TargetImage | eq | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
TargetImage | eq | C:\Windows\System32\rundll32.exe |
SourceImage | eq | C:\Program Files\Internet Explorer\iexplore.exe |
TargetImage | eq | C:\Windows\SysWOW64\msiexec.exe |
TargetImage | eq | C:\Windows\System32\msiexec.exe |
SourceImage | ends_with | \msiexec.exe |
TargetImage | eq | C:\Windows\System32\AtBroker.exe |
TargetImage | eq | C:\Windows\System32\LogonUI.exe |
TargetImage | eq | C:\Windows\System32\csrss.exe |
TargetImage | eq | C:\Windows\System32\dwm.exe |
TargetImage | eq | C:\Windows\System32\fontdrvhost.exe |
TargetImage | eq | C:\Windows\System32\services.exe |
TargetImage | eq | C:\Windows\System32\userinit.exe |
TargetImage | eq | C:\Windows\System32\wininit.exe |
TargetImage | eq | C:\Windows\System32\wlrmdr.exe |
SourceImage | eq | C:\Windows\System32\winlogon.exe |
TargetImage | match | C:\Program Files (x86)\ |
TargetImage | match | C:\Program Files\ |
TargetImage | match | C:\Windows\Microsoft.NET\Framework64\ |
TargetImage | match | \AppData\Local\ |
SourceImage | ends_with | \msiexec.exe |
TargetImage | match | C:\Program Files (x86)\Microsoft Office\ |
TargetImage | match | C:\Program Files\Microsoft Office\ |
SourceImage | ends_with | \POWERPNT.EXE |
TargetImage | starts_with | C:\Program Files (x86)\ |
TargetImage | starts_with | C:\Program Files\ |
TargetImage | starts_with | C:\Windows\SysWOW64\ |
TargetImage | starts_with | C:\Windows\System32\ |
SourceImage | eq | C:\Windows\explorer.exe |
SourceImage | eq | C:\Windows\System32\winlogon.exe |
TargetParentProcessId | eq | 4 |
TargetImage | eq | System |
TargetImage | is_null | |
SourceParentImage | starts_with | C:\Program Files (x86)\ |
SourceParentImage | starts_with | C:\Program Files\ |
SourceImage | eq | C:\Program Files\internet explorer\iexplore.exe |
SourceParentImage | match | \CheckPoint\SmartConsole\ |
SourceParentImage | match | \SmartConsole.exe |
SourceCommandLine | match | .checkpoint.com/documents/ |
SourceCommandLine | match | SmartConsole_OLH/ |
SourceCommandLine | match | default.htm#cshid= |
SourceCommandLine | match | https:// |
SourceImage | eq | C:\Program Files\internet explorer\iexplore.exe |
SourceImage | ends_with | \POWERPNT.EXE |
SourceImage | match | \Microsoft Office\ |
TargetImage | eq | C:\Windows\System32\csrss.exe |
SourceImage | eq | C:\Windows\explorer.exe |
TargetImage | ends_with | \AppData\Local\Microsoft\OneDrive\OneDrive.exe |
SourceImage | eq | C:\Windows\explorer.exe |
TargetImage | ends_with | \OfficeSetup.exe |
SourceImage | eq | C:\Windows\explorer.exe |
TargetImage | ends_with | \aurora-dashboard.exe |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
SourceImage | ends_with |
|