sigmamediumHunting

Remote Thread Creation Via PowerShell In Uncommon Target

Detects the creation of a remote thread from a Powershell process in an uncommon target process

MITRE ATT&CK

defense-evasionexecution

Detection Query

selection:
  SourceImage|endswith:
    - \powershell.exe
    - \pwsh.exe
  TargetImage|endswith:
    - \rundll32.exe
    - \regsvr32.exe
condition: selection

Author

Florian Roth (Nextron Systems)

Created

2018-06-25

Data Sources

windowsRemote Thread Creation

Platforms

windows

References

https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html

Tags

attack.defense-evasionattack.executionattack.t1218.011attack.t1059.001

Raw Content

title: Remote Thread Creation Via PowerShell In Uncommon Target
id: 99b97608-3e21-4bfe-8217-2a127c396a0e
related:
    - id: eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50
      type: similar
status: test
description: Detects the creation of a remote thread from a Powershell process in an uncommon target process
references:
    - https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html
author: Florian Roth (Nextron Systems)
date: 2018-06-25
modified: 2023-11-10
tags:
    - attack.defense-evasion
    - attack.execution
    - attack.t1218.011
    - attack.t1059.001
logsource:
    product: windows
    category: create_remote_thread
detection:
    selection:
        SourceImage|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
        TargetImage|endswith:
            # Note: Please add additional potential interesting targets to increase coverage
            - '\rundll32.exe'
            - '\regsvr32.exe'
    condition: selection
falsepositives:
    - Unknown
level: medium