← Back to Explore
sigmahighHunting
Remote Thread Creation In Mstsc.Exe From Suspicious Location
Detects remote thread creation in the "mstsc.exe" process by a process located in a potentially suspicious location. This technique is often used by attackers in order to hook some APIs used by DLLs loaded by "mstsc.exe" during RDP authentications in order to steal credentials.
Detection Query
selection:
TargetImage|endswith: \mstsc.exe
SourceImage|contains:
- :\Temp\
- :\Users\Public\
- :\Windows\PerfLogs\
- :\Windows\Tasks\
- :\Windows\Temp\
- \AppData\Local\Temp\
condition: selection
Author
Nasreddine Bencherchali (Nextron Systems)
Created
2023-07-28
Data Sources
windowsRemote Thread Creation
Platforms
windows
Tags
attack.credential-access
Raw Content
title: Remote Thread Creation In Mstsc.Exe From Suspicious Location
id: c0aac16a-b1e7-4330-bab0-3c27bb4987c7
status: test
description: |
Detects remote thread creation in the "mstsc.exe" process by a process located in a potentially suspicious location.
This technique is often used by attackers in order to hook some APIs used by DLLs loaded by "mstsc.exe" during RDP authentications in order to steal credentials.
references:
- https://github.com/S12cybersecurity/RDPCredentialStealer/blob/1b8947cdd065a06c1b62e80967d3c7af895fcfed/APIHookInjectorBin/APIHookInjectorBin/Inject.h#L25
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-07-28
modified: 2024-01-22
tags:
- attack.credential-access
logsource:
product: windows
category: create_remote_thread
detection:
selection:
TargetImage|endswith: '\mstsc.exe'
SourceImage|contains:
- ':\Temp\'
- ':\Users\Public\'
- ':\Windows\PerfLogs\'
- ':\Windows\Tasks\'
- ':\Windows\Temp\'
- '\AppData\Local\Temp\'
condition: selection
falsepositives:
- Unknown
level: high