In this article:  

• Objective

• Prerequisites

• Steps to follow

• Validation and confirmation

• Tips

• Related topics and articles

 Objective   

This article explains how to use ADAudit Plus to detect a potential Remote Thread Creation attack based on System Monitor (Sysmon) event logs, understand the immediate remediation steps, and implement long-term prevention strategies.

 Prerequisites   

• You must have administrator access to the ADAudit Plus web console.

• Sysmon must be deployed and configured on the endpoints (servers and workstations) you wish to monitor.

• ADAudit Plus must be configured to collect and process Sysmon event logs from these endpoints.

 Steps to follow   

The process for handling a remote thread creation attack involves detection, immediate remediation, and prevention.

 Part 1: Detecting the attack   

1. Navigate to the Active Directory tab > Attack Surface Analyzer > Threats > Remote Thread.

2. This report shows all detections related to a possible remote thread creation attack, which is a common technique used for process injection.

 Part 2: Understanding the detection criteria   

ADAudit Plus detects a potential remote thread creation attack based on the following pattern from Sysmon logs:

• Description: A thread is attached to a process by another process, giving the attacker access to the target process's memory and code space to execute malicious code discreetly.

• Detection logic (Sysmon):

• Event code equals 8 (CreateRemoteThread).

• Source User is not equal to NT AUTHORITY\SYSTEM.

• Source User does not contain DWM (Desktop Window Manager, which performs legitimate remote thread creation).

 Part 3: Immediate remediation   

Detecting remote thread creation can indicate active malware or an attacker on your network. Act immediately.

1. Isolate the affected machines: The event log will show the Source Process and Target Process, along with the machines they are running on. Isolate both the source and target machines from the network immediately to prevent lateral movement.

2. Investigate the processes: Analyze both the source and target processes identified in the alert. Determine if they are legitimate system processes being abused (e.g., explorer.exe, svchost.exe) or unauthorized executables.

3. Terminate malicious processes: If the processes are confirmed to be part of an attack, terminate them on the affected machines.

4. Scan for malware: Conduct a full forensic scan on both the source and target machines to identify the malware or tool used to initiate the process injection.

5. Investigate the user account: The user account associated with the source process (Source User) may be compromised. Force a password reset and review its recent activity for other suspicious actions.

 Validation and confirmation   

• After remediation, monitor the Remote Thread report in ADAudit Plus to ensure no new suspicious remote thread creations are detected.

• Forensic analysis of the affected machines should confirm the removal of any related malware or persistence mechanisms.

• The affected machines should be considered compromised and may need to be rebuilt from a known-good image.

 Tips   

The following best practices can help prevent remote thread creation attacks.

 Application controls and allowlisting   

• Use application control solutions to prevent unauthorized executables from running. If an attacker cannot run their initial payload, they cannot inject code into another process.

 Principle of least privilege   

• Ensure the principle of least privilege (PoLP) is maintained so that users and service accounts run with the minimum privileges necessary. An attacker who compromises a standard user account will have a much harder time injecting code into critical system processes.

 Regular patching   

• Keep operating systems and applications fully patched to prevent attackers from gaining an initial foothold through which they can then perform process injection and other malicious activities.

 Related topics and articles   

• How to detect and respond to a Suspicious Process alert using ADAudit Plus