Open
Conversation
jdu2600
force-pushed
the
thread_creation
branch
from
fe69298 to
fa24790
Compare
Owner
|
Thanks @jdu2600, could you please provide some examples from the Elastic EDR events? |
tsale
added
waiting for info
Contributor
Author
|
CreateThread = Here's a sample event - |
tsale
added
under review
Owner
|
Thanks for that @jdu2600. I did have a look and I can confirm that, unlike what the article suggests, other EDR are also monitoring for this activity. Although it would be a good practise to track all different variations of thread activities, this can get out of hand very quickly. We are planning to include one more level to the current sub-categories. We could change the "Remote Thread Creation" to "Thread Activities" and include all variations. But that is just too much for this stage of the project. We can re-evaluate this then. Thanks again for submitting the information and contributing to this project, appreciate it! |
Contributor
Author
|
Noted. Though perhaps the current category should be updated to |
Owner
|
Thanks for understanding. I re-opened this PR to consider the change for the sub-category name from "Remote Thread Creation" to "Thread Creation". @jdu2600 - Could you please provide a justification as to why you would like Sysmon to have an "Partially Implemented" mark instead of a "Implemented"? This justification would have to make its way to the official notes for the main table. @inodee - Any objections here for this change to the sub-category? Makes sense? |
Contributor
Author
|
The sysmon documentation indicates that its Event ID 8 is Remote Thread Creation only - not Thread Creation more generally. |
Owner
|
Good enough for me. For the record, difference explained here:
@jdu2600, could you please edit your proposed changes by only renaming the Sub-Category field to "Thread Creation" and change only the Sysmon value from "Yes" to "Partially"? Thanks! |
jdu2600
force-pushed
the
thread_creation
branch
from
fa24790 to
1c269f6
Compare
Contributor
Author
|
Done. Are we confident that Crowdstrike/LimaCharlie/MDE/S1/WatchGuard all monitor local thread creations? |
Owner
Contributor
Author
|
The simplest test would be to see if telemetry is generated for a local unbacked thread. C++ snippet - |
Collaborator
|
It seems like we indeed need a dedicated cat for "Thread Activities"! Thanks @jdu2600 for your contribs! Yes, we need to validate/adjust the others. |
Contributor
Author
|
Or a python one-liner if that is simpler. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Thread Creation events (ideally via a
PsSetCreateThreadNotifyRoutinecallback) are a useful telemetry source.References -
https://bruteratel.com/release/2022/11/17/Release-Resurgence/
"Several changes were also made to how a local thread was created following some detections from Elastic EDR, as unlike any other EDR, Elastic also monitors local threads."
Type of change