EXPLORE
Sign In
← Back to Explore
sigmamediumHunting

Remote Thread Creation In Uncommon Target Image

Detects uncommon target processes for remote thread creation

MITRE ATT&CK

T1055.003
defense-evasionprivilege-escalation

Detection Query

selection:
  TargetImage|endswith:
    - \calc.exe
    - \calculator.exe
    - \mspaint.exe
    - \notepad.exe
    - \ping.exe
    - \sethc.exe
    - \spoolsv.exe
    - \wordpad.exe
    - \write.exe
filter_main_csrss:
  SourceImage: C:\Windows\System32\csrss.exe
filter_main_notepad:
  SourceImage:
    - C:\Windows\System32\explorer.exe
    - C:\Windows\System32\OpenWith.exe
  TargetImage: C:\Windows\System32\notepad.exe
filter_main_sethc:
  SourceImage: C:\Windows\System32\AtBroker.exe
  TargetImage: C:\Windows\System32\Sethc.exe
filter_optional_aurora_1:
  StartFunction: EtwpNotificationThread
filter_optional_aurora_2:
  SourceImage|contains: unknown process
filter_optional_vmtoolsd:
  SourceImage: C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
  StartFunction: GetCommandLineW
  TargetImage:
    - C:\Windows\System32\notepad.exe
    - C:\Windows\System32\spoolsv.exe
filter_optional_xerox_pjems:
  SourceImage: C:\Program
    Files\Xerox\XeroxPrintExperience\CommonFiles\XeroxPrintJobEventManagerService.exe
  StartFunction: LoadLibraryW
  TargetImage: C:\Windows\System32\spoolsv.exe
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*

Author

Florian Roth (Nextron Systems)

Created

2022-03-16

Data Sources

windowsRemote Thread Creation

Platforms

windows

References

Tags

attack.defense-evasionattack.privilege-escalationattack.t1055.003
Raw Content
title: Remote Thread Creation In Uncommon Target Image
id: a1a144b7-5c9b-4853-a559-2172be8d4a03
related:
    - id: f016c716-754a-467f-a39e-63c06f773987
      type: obsolete
status: test
description: Detects uncommon target processes for remote thread creation
references:
    - https://web.archive.org/web/20220319032520/https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection
author: Florian Roth (Nextron Systems)
date: 2022-03-16
modified: 2025-07-04
tags:
    - attack.defense-evasion
    - attack.privilege-escalation
    - attack.t1055.003
logsource:
    product: windows
    category: create_remote_thread
detection:
    selection:
        TargetImage|endswith:
            - '\calc.exe'
            - '\calculator.exe'
            - '\mspaint.exe'
            - '\notepad.exe'
            - '\ping.exe'
            - '\sethc.exe'
            - '\spoolsv.exe'
            - '\wordpad.exe'
            - '\write.exe'
    filter_main_csrss:
        SourceImage: 'C:\Windows\System32\csrss.exe'
    filter_main_notepad:
        SourceImage:
            - 'C:\Windows\System32\explorer.exe'
            - 'C:\Windows\System32\OpenWith.exe'
        TargetImage: 'C:\Windows\System32\notepad.exe'
    filter_main_sethc:
        SourceImage: 'C:\Windows\System32\AtBroker.exe'
        TargetImage: 'C:\Windows\System32\Sethc.exe'
    filter_optional_aurora_1:
        StartFunction: 'EtwpNotificationThread'
    filter_optional_aurora_2:
        SourceImage|contains: 'unknown process'
    filter_optional_vmtoolsd:
        SourceImage: 'C:\Program Files\VMware\VMware Tools\vmtoolsd.exe'
        StartFunction: 'GetCommandLineW'
        TargetImage:
            - 'C:\Windows\System32\notepad.exe'
            - 'C:\Windows\System32\spoolsv.exe'
    filter_optional_xerox_pjems:
        SourceImage: 'C:\Program Files\Xerox\XeroxPrintExperience\CommonFiles\XeroxPrintJobEventManagerService.exe'
        StartFunction: 'LoadLibraryW'
        TargetImage: 'C:\Windows\System32\spoolsv.exe'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: medium