sigmamediumHunting

CreateRemoteThread API and LoadLibrary

Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process

MITRE ATT&CK

defense-evasionprivilege-escalation

Detection Query

selection:
  StartModule|endswith: \kernel32.dll
  StartFunction: LoadLibraryA
condition: selection

Author

Roberto Rodriguez @Cyb3rWard0g

Created

2019-08-11

Data Sources

windowsRemote Thread Creation

Platforms

windows

References

https://threathunterplaybook.com/hunts/windows/180719-DLLProcessInjectionCreateRemoteThread/notebook.html

Tags

attack.defense-evasionattack.privilege-escalationattack.t1055.001detection.threat-hunting

Raw Content

title: CreateRemoteThread API and LoadLibrary
id: 052ec6f6-1adc-41e6-907a-f1c813478bee
status: test
description: Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process
references:
    - https://threathunterplaybook.com/hunts/windows/180719-DLLProcessInjectionCreateRemoteThread/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-08-11
modified: 2024-01-22
tags:
    - attack.defense-evasion
    - attack.privilege-escalation
    - attack.t1055.001
    - detection.threat-hunting
logsource:
    product: windows
    category: create_remote_thread
detection:
    selection:
        StartModule|endswith: '\kernel32.dll'
        StartFunction: 'LoadLibraryA'
    condition: selection
falsepositives:
    - Unknown
level: medium