EXPLORE
← Back to Explore
splunk_escuTTP

Powershell Remote Thread To Known Windows Process

The following analytic detects suspicious PowerShell processes attempting to inject code into critical Windows processes using CreateRemoteThread. It leverages Sysmon EventCode 8 to identify instances where PowerShell spawns threads in processes like svchost.exe, csrss.exe, and others. This activity is significant as it is commonly used by malware such as TrickBot and offensive tools like Cobalt Strike to execute malicious payloads, establish reverse shells, or download additional malware. If confirmed malicious, this behavior could lead to unauthorized code execution, privilege escalation, and persistent access within the environment.

Detection Query

`sysmon`
EventCode=8
SourceImage IN (
    "*\\powershell_ise.exe",
    "*\\powershell.exe",
    "*\\pwsh.exe"
)
TargetImage IN (
    "*\\csrss.exe",
    "*\\explorer.exe",
    "*\\gpupdate.exe",
    "*\\services.exe",
    "*\\smss.exe",
    "*\\spoolsv.exe",
    "*\\svchost.exe",
    "*\\taskhost.exe",
    "*\\userinit.exe",
    "*\\wininit.exe",
    "*\\winlogon.exe"
)
| stats count min(_time) as firstTime
              max(_time) as lastTime
              values(NewThreadId) as "NewThreadId"
              values(StartAddress) as "StartAddress"
  by dest signature_id signature
     SourceProcessGuid SourceProcessId SourceImage
     TargetProcessGuid TargetProcessId TargetImage
     StartModule StartFunction vendor_product
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `powershell_remote_thread_to_known_windows_process_filter`

Author

Teoderick Contreras, Splunk

Data Sources

Sysmon EventID 8
Raw Content
name: Powershell Remote Thread To Known Windows Process
id: ec102cb2-a0f5-11eb-9b38-acde48001122
version: 12
creation_date: '2021-04-26'
modification_date: '2026-07-01'
author: Teoderick Contreras, Splunk
status: production
type: TTP
description: |-
    The following analytic detects suspicious PowerShell processes attempting to inject code into critical Windows processes using CreateRemoteThread.
    It leverages Sysmon EventCode 8 to identify instances where PowerShell spawns threads in processes like svchost.exe, csrss.exe, and others.
    This activity is significant as it is commonly used by malware such as TrickBot and offensive tools like Cobalt Strike to execute malicious payloads, establish reverse shells, or download additional malware.
    If confirmed malicious, this behavior could lead to unauthorized code execution, privilege escalation, and persistent access within the environment.
data_source:
    - Sysmon EventID 8
search: |-
    `sysmon`
    EventCode=8
    SourceImage IN (
        "*\\powershell_ise.exe",
        "*\\powershell.exe",
        "*\\pwsh.exe"
    )
    TargetImage IN (
        "*\\csrss.exe",
        "*\\explorer.exe",
        "*\\gpupdate.exe",
        "*\\services.exe",
        "*\\smss.exe",
        "*\\spoolsv.exe",
        "*\\svchost.exe",
        "*\\taskhost.exe",
        "*\\userinit.exe",
        "*\\wininit.exe",
        "*\\winlogon.exe"
    )
    | stats count min(_time) as firstTime
                  max(_time) as lastTime
                  values(NewThreadId) as "NewThreadId"
                  values(StartAddress) as "StartAddress"
      by dest signature_id signature
         SourceProcessGuid SourceProcessId SourceImage
         TargetProcessGuid TargetProcessId TargetImage
         StartModule StartFunction vendor_product
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | `powershell_remote_thread_to_known_windows_process_filter`
how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, Create Remote thread from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of create remote thread may be used.
known_false_positives: No false positives have been identified at this time.
references:
    - https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/
drilldown_searches:
    - name: View the detection results for - "$dest$"
      search: '%original_detection_search% | search  dest = "$dest$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$dest$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: 7d
      latest_offset: "0"
finding:
    title: A suspicious powershell process $SourceImage$ created a remote thread into the target process $TargetImage$ on host $dest$
    entity:
        field: dest
        type: system
        score: 50
threat_objects:
    - field: SourceImage
      type: process_name
    - field: TargetImage
      type: process_name
analytic_story:
    - Trickbot
asset_type: Endpoint
mitre_attack_id:
    - T1055
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: endpoint
security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/infection/windows-sysmon.log
          source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
          sourcetype: XmlWinEventLog
      test_type: unit