From 334ef1da903ac4bcf5738e2cb069ac7fe6d3447b Mon Sep 17 00:00:00 2001
From: rabbitstack <rabbitstack7@gmail.com>
Date: Thu, 20 Mar 2025 20:40:58 +0100
Subject: [PATCH] fix(rule-engine): Add expire sequence condition for
 CreateThread event

If the process termination event arrives, and
the sequence contains CreateThread events where the event pid and the pid in the parameters differ, the sequence can be expired when the remote process terminates.
---
 pkg/rules/sequence.go | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/pkg/rules/sequence.go b/pkg/rules/sequence.go
index 28f181882..38a8144c5 100644
--- a/pkg/rules/sequence.go
+++ b/pkg/rules/sequence.go
@@ -538,12 +538,19 @@ func (s *sequenceState) expire(e *kevent.Kevent) bool {
 		// process spawned by CreateProcess, and it pertains
 		// to the final sequence slot, it is safe to expire
 		// the whole sequence
+		pid := rhs.Kparams.MustGetPid()
 		if lhs.Type == ktypes.CreateProcess && isFinalSlot {
-			p1, _ := lhs.Kparams.GetPid()
-			p2, _ := rhs.Kparams.GetPid()
-			return p1 == p2
+			return lhs.Kparams.MustGetPid() == pid
+		}
+		if lhs.Type == ktypes.CreateThread {
+			// if the pids differ, the thread
+			// is created in a remote process.
+			// Sequence can be expired only if
+			// the remote process terminates
+			if lhs.PID != lhs.Kparams.MustGetPid() {
+				return lhs.Kparams.MustGetPid() == pid
+			}
 		}
-		pid, _ := rhs.Kparams.GetPid()
 		return lhs.PID == pid
 	}
 	s.mu.Lock()