EXPLORE
Sign In
← Back to Explore
sigmahighHunting

Rare Remote Thread Creation By Uncommon Source Image

Detects uncommon processes creating remote threads.

MITRE ATT&CK

T1055
privilege-escalationdefense-evasion

Detection Query

selection:
  SourceImage|endswith:
    - \bash.exe
    - \cscript.exe
    - \cvtres.exe
    - \defrag.exe
    - \dialer.exe
    - \dnx.exe
    - \esentutl.exe
    - \excel.exe
    - \expand.exe
    - \find.exe
    - \findstr.exe
    - \forfiles.exe
    - \gpupdate.exe
    - \hh.exe
    - \installutil.exe
    - \lync.exe
    - \makecab.exe
    - \mDNSResponder.exe
    - \monitoringhost.exe
    - \msbuild.exe
    - \mshta.exe
    - \mspaint.exe
    - \outlook.exe
    - \ping.exe
    - \provtool.exe
    - \python.exe
    - \regsvr32.exe
    - \robocopy.exe
    - \runonce.exe
    - \sapcimc.exe
    - \smartscreen.exe
    - \spoolsv.exe
    - \tstheme.exe
    - \userinit.exe
    - \vssadmin.exe
    - \vssvc.exe
    - \w3wp.exe
    - \winscp.exe
    - \winword.exe
    - \wmic.exe
    - \wscript.exe
filter_main_conhost:
  SourceImage:
    - C:\Windows\System32\Defrag.exe
    - C:\Windows\System32\makecab.exe
  TargetImage: C:\Windows\System32\conhost.exe
filter_main_provtol_svchost:
  SourceImage: C:\Windows\System32\provtool.exe
  TargetImage: C:\Windows\System32\svchost.exe
filter_main_provtool_system:
  SourceImage: C:\Windows\System32\provtool.exe
  TargetImage: System
filter_main_userinit:
  SourceImage: C:\Windows\System32\userinit.exe
  TargetImage: C:\Windows\explorer.exe
filter_main_winword:
  SourceImage|endswith: \WINWORD.EXE
  TargetImage|startswith:
    - C:\Program Files (x86)\
    - C:\Program Files\
filter_main_ms_office:
  SourceImage|startswith:
    - C:\Program Files\Microsoft Office\
    - C:\Program Files (x86)\Microsoft Office\
  TargetImage: System
filter_optional_explorer_vmtools:
  SourceImage|endswith: \SysWOW64\explorer.exe
  TargetImage:
    - C:\Program Files (x86)\VMware\VMware Tools\vmtoolsd.exe
    - C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*

Author

Perez Diego (@darkquassar), oscd.community

Created

2019-10-27

Data Sources

windowsRemote Thread Creation

Platforms

windows

References

Tags

attack.privilege-escalationattack.defense-evasionattack.t1055
Raw Content
title: Rare Remote Thread Creation By Uncommon Source Image
id: 02d1d718-dd13-41af-989d-ea85c7fab93f
related:
    - id: 66d31e5f-52d6-40a4-9615-002d3789a119
      type: derived
status: test
description: Detects uncommon processes creating remote threads.
references:
    - Personal research, statistical analysis
    - https://lolbas-project.github.io
author: Perez Diego (@darkquassar), oscd.community
date: 2019-10-27
modified: 2025-12-08
tags:
    - attack.privilege-escalation
    - attack.defense-evasion
    - attack.t1055
logsource:
    product: windows
    category: create_remote_thread
detection:
    selection:
        SourceImage|endswith:
            - '\bash.exe'
            - '\cscript.exe'
            - '\cvtres.exe'
            - '\defrag.exe'
            - '\dialer.exe'
            - '\dnx.exe'
            - '\esentutl.exe'
            - '\excel.exe'
            - '\expand.exe'
            - '\find.exe'
            - '\findstr.exe'
            - '\forfiles.exe'
            - '\gpupdate.exe'
            - '\hh.exe'
            - '\installutil.exe'
            - '\lync.exe'
            - '\makecab.exe'
            - '\mDNSResponder.exe'
            - '\monitoringhost.exe' # Loads .NET CLR by default and thus a favorite for process injection for .NET in-memory offensive tools.
            - '\msbuild.exe'
            - '\mshta.exe'
            - '\mspaint.exe'
            - '\outlook.exe'
            - '\ping.exe'
            - '\provtool.exe'
            - '\python.exe'
            - '\regsvr32.exe'
            - '\robocopy.exe'
            - '\runonce.exe'
            - '\sapcimc.exe'
            - '\smartscreen.exe'
            - '\spoolsv.exe'
            - '\tstheme.exe'
            - '\userinit.exe'
            - '\vssadmin.exe'
            - '\vssvc.exe'
            - '\w3wp.exe'
            - '\winscp.exe'
            - '\winword.exe'
            - '\wmic.exe'
            - '\wscript.exe'
    filter_main_conhost:
        SourceImage:
            - 'C:\Windows\System32\Defrag.exe'
            - 'C:\Windows\System32\makecab.exe'
        TargetImage: 'C:\Windows\System32\conhost.exe'
    filter_main_provtol_svchost:
        SourceImage: 'C:\Windows\System32\provtool.exe'
        TargetImage: 'C:\Windows\System32\svchost.exe'
    filter_main_provtool_system:
        SourceImage: 'C:\Windows\System32\provtool.exe'
        TargetImage: 'System'
    filter_main_userinit:
        SourceImage: 'C:\Windows\System32\userinit.exe'
        TargetImage: 'C:\Windows\explorer.exe'
    filter_main_winword:
        SourceImage|endswith: '\WINWORD.EXE'
        TargetImage|startswith:
            - 'C:\Program Files (x86)\' # C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            - 'C:\Program Files\' # C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exe
    filter_main_ms_office:
        # Raised by following issue: https://github.com/SigmaHQ/sigma/issues/5529
        SourceImage|startswith:
            - 'C:\Program Files\Microsoft Office\'
            - 'C:\Program Files (x86)\Microsoft Office\'
        TargetImage: 'System'
    filter_optional_explorer_vmtools:
        SourceImage|endswith: '\SysWOW64\explorer.exe'
        TargetImage:
            - 'C:\Program Files (x86)\VMware\VMware Tools\vmtoolsd.exe'
            - 'C:\Program Files\VMware\VMware Tools\vmtoolsd.exe'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - This rule is best put in testing first in order to create a baseline that reflects the data in your environment.
level: high