Microsoft Windows allows for processes to remotely create threads within other processes of the same privilege level. This functionality is provided via the Windows API CreateRemoteThread. Both Windows and third-party software use this ability for legitimate purposes. For example, the Windows process csrss.exe creates threads in programs to send signals to registered callback routines. Both adversaries and host-based security software use this functionality to inject DLLs, but for very different purposes. An adversary is likely to inject into a program to evade defenses or bypass User Account Control, but a security program might do this to gain increased monitoring of API calls. One of the most common methods of DLL Injection is through the Windows API LoadLibrary.

This behavior can be detected by looking for thread creations across processes, and resolving the entry point to determine the function name. If the function is LoadLibraryA or LoadLibraryW, then the intent of the remote thread is clearly to inject a DLL. When this is the case, the source process must be examined so that it can be ignored when it is both expected and a trusted process.

ATT&CK Detections

Technique Subtechnique(s) Tactic(s) Level of Coverage
Process Injection Dynamic-link Library Injection Defense Evasion Moderate
Abuse Elevation Control Mechanism Bypass User Account Control Privilege Escalation Moderate

D3FEND Techniques

ID Name
D3-SCA System Call Analysis

Data Model References

Object Action Field
thread remote_create src_pid
thread remote_create start_function



Search for remote thread creations that start at LoadLibraryA or LoadLibraryW. Depending on the tool, it may provide additional information about the DLL string that is an argument to the function. If there is any security software that legitimately injects DLLs, it must be carefully whitelisted.

remote_thread = search Thread:RemoteCreate
remote_thread = filter (start_function == "LoadLibraryA" or start_function == "LoadLibraryW")
remote_thread = filter (src_image_path != "C:\Path\To\TrustedProgram.exe")

output remote_thread

Logpoint, LogPoint native

LogPoint version of the above pseudocode.

norm_id=WindowsSysmon event_id=8 start_function IN ["LoadLibraryA", "LoadLibraryW"] -source_image="C:\Path\To\TrustedProgram.exe"

True Positives

Mordor (sysmon)

Sysmon event from the Mordor Empire DLL Injection dataset.

Full Event
Event Snippet
	"@event_date_creation": "2019-05-18T22:15:33.007Z",
	"@timestamp": "2019-05-18T22:15:33.697Z",
	"@version": "1",
	"action": "createremotethread",
	"event_id": 8,
	"log_ingest_timestamp": "2019-05-18T22:15:33.697Z",
	"log_name": "Microsoft-Windows-Sysmon/Operational",
	"opcode": "Info",
	"process_guid": "03ba39f5-50b2-5ce0-0000-00109995c501",
	"process_id": "5452",
	"process_name": "powershell.exe",
	"process_path": "c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe",
	"process_target_guid": "03ba39f5-8320-5ce0-0000-00101ec72502",
	"process_target_id": "3124",
	"process_target_name": "notepad.exe",
	"process_target_path": "c:\\\\windows\\\\system32\\\\notepad.exe",
	"provider_guid": "5770385f-c22a-43e0-bf4c-06f5698ffbd9",
	"record_number": "2273503",
	"source_name": "Microsoft-Windows-Sysmon",
	"task": "CreateRemoteThread detected (rule: CreateRemoteThread)",
	"thread_id": 3144,
	"thread_new_id": "7940",
	"thread_start_address": "0x00007FFECED8F220",
	"thread_start_function": "LoadLibraryA",
	"thread_start_module": "C:\\\\Windows\\\\System32\\\\KERNEL32.DLL",
	"type": "wineventlog",
	"user_reporter_domain": "NT AUTHORITY",
	"user_reporter_name": "SYSTEM",
	"user_reporter_sid": "S-1-5-18",
	"user_reporter_type": "User"