EXPLORE
Sign In
← Back to Explore
sigmahighHunting

HackTool - CACTUSTORCH Remote Thread Creation

Detects remote thread creation from CACTUSTORCH as described in references.

MITRE ATT&CK

T1055.012T1059.005T1059.007T1218.005
privilege-escalationdefense-evasionexecution

Detection Query

selection:
  SourceImage|endswith:
    - \System32\cscript.exe
    - \System32\wscript.exe
    - \System32\mshta.exe
    - \winword.exe
    - \excel.exe
  TargetImage|contains: \SysWOW64\
  StartModule: null
condition: selection

Author

@SBousseaden (detection), Thomas Patzke (rule)

Created

2019-02-01

Data Sources

windowsRemote Thread Creation

Platforms

windows

References

Tags

attack.privilege-escalationattack.defense-evasionattack.executionattack.t1055.012attack.t1059.005attack.t1059.007attack.t1218.005
Raw Content
title: HackTool - CACTUSTORCH Remote Thread Creation
id: 2e4e488a-6164-4811-9ea1-f960c7359c40
status: test
description: Detects remote thread creation from CACTUSTORCH as described in references.
references:
    - https://twitter.com/SBousseaden/status/1090588499517079552 # Deleted
    - https://github.com/mdsecactivebreach/CACTUSTORCH
author: '@SBousseaden (detection), Thomas Patzke (rule)'
date: 2019-02-01
modified: 2023-05-05
tags:
    - attack.privilege-escalation
    - attack.defense-evasion
    - attack.execution
    - attack.t1055.012
    - attack.t1059.005
    - attack.t1059.007
    - attack.t1218.005
logsource:
    product: windows
    category: create_remote_thread
detection:
    selection:
        SourceImage|endswith:
            - '\System32\cscript.exe'
            - '\System32\wscript.exe'
            - '\System32\mshta.exe'
            - '\winword.exe'
            - '\excel.exe'
        TargetImage|contains: '\SysWOW64\'
        StartModule: null
    condition: selection
falsepositives:
    - Unknown
level: high