LoFP LoFP / this rule is best put in testing first in order to create a baseline that reflects the data in your environment.

Techniques

Sample rules

Remote Thread Creation By Uncommon Source Image

Description

Detects uncommon processes creating remote threads.

Detection logic

condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_empty:
  TargetImage: ''
filter_main_explorer:
  SourceImage: C:\Windows\explorer.exe
  TargetImage|startswith:
  - C:\Program Files (x86)\
  - C:\Program Files\
  - C:\Windows\System32\
  - C:\Windows\SysWOW64\
filter_main_msiexec:
  SourceImage|endswith: \msiexec.exe
  TargetImage|contains:
  - \AppData\Local\
  - C:\Program Files (x86)\
  - C:\Program Files\
filter_main_null:
  TargetImage: null
filter_main_schtasks_conhost:
  SourceImage:
  - C:\Windows\System32\schtasks.exe
  - C:\Windows\SysWOW64\schtasks.exe
  TargetImage: C:\Windows\System32\conhost.exe
filter_main_system:
  TargetImage: System
filter_main_winlogon_1:
  SourceImage: C:\Windows\System32\winlogon.exe
  TargetImage:
  - C:\Windows\System32\services.exe
  - C:\Windows\System32\wininit.exe
  - C:\Windows\System32\csrss.exe
  - C:\Windows\System32\LogonUI.exe
filter_main_winlogon_2:
  SourceImage: C:\Windows\System32\winlogon.exe
  TargetParentProcessId: 4
filter_optional_aurora_smartconsole1:
  SourceCommandLine|contains|all:
  - https://
  - .checkpoint.com/documents/
  - SmartConsole_OLH/
  - default.htm#cshid=
  SourceImage: C:\Program Files\internet explorer\iexplore.exe
filter_optional_aurora_smartconsole2:
  SourceImage: C:\Program Files\internet explorer\iexplore.exe
  SourceParentImage|contains|all:
  - \CheckPoint\SmartConsole\
  - \SmartConsole.exe
  SourceParentImage|startswith:
  - C:\Program Files\
  - C:\Program Files (x86)\
filter_optional_powerpnt:
  SourceImage|contains: \Microsoft Office\
  SourceImage|endswith: \POWERPNT.EXE
  TargetImage: C:\Windows\System32\csrss.exe
selection:
  SourceImage|endswith:
  - \explorer.exe
  - \iexplore.exe
  - \msiexec.exe
  - \powerpnt.exe
  - \schtasks.exe
  - \winlogon.exe

Rare Remote Thread Creation By Uncommon Source Image

Description

Detects uncommon processes creating remote threads.

Detection logic

condition: selection
selection:
  SourceImage|endswith:
  - \bash.exe
  - \cscript.exe
  - \cvtres.exe
  - \defrag.exe
  - \dialer.exe
  - \dnx.exe
  - \esentutl.exe
  - \excel.exe
  - \expand.exe
  - \find.exe
  - \findstr.exe
  - \forfiles.exe
  - \gpupdate.exe
  - \hh.exe
  - \installutil.exe
  - \lync.exe
  - \makecab.exe
  - \mDNSResponder.exe
  - \monitoringhost.exe
  - \msbuild.exe
  - \mshta.exe
  - \mspaint.exe
  - \outlook.exe
  - \ping.exe
  - \provtool.exe
  - \python.exe
  - \regsvr32.exe
  - \robocopy.exe
  - \runonce.exe
  - \sapcimc.exe
  - \smartscreen.exe
  - \spoolsv.exe
  - \tstheme.exe
  - \userinit.exe
  - \vssadmin.exe
  - \vssvc.exe
  - \w3wp.exe
  - \winscp.exe
  - \winword.exe
  - \wmic.exe
  - \wscript.exe