rabbitstack · rabbitstack · Apr 11, 2025 · Mar 20, 2025
diff --git a/rules/defense_evasion_unsigned_dll_injection_via_remote_thread.yml b/rules/defense_evasion_unsigned_dll_injection_via_remote_thread.yml
@@ -1,6 +1,6 @@
 name: Unsigned DLL injection via remote thread
 id: 21bdd944-3bda-464b-9a72-58fd37ba9163
-version: 1.0.2
+version: 1.1.0
 description: |
   Identifies unsigned DLL injection via remote thread creation.
   Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses
@@ -22,15 +22,15 @@ references:
 condition: >
   sequence
   maxspan 1m
-    |create_remote_thread and not (ps.exe imatches
+    |create_remote_thread and thread.start_address.symbol imatches ('LoadLibrary*', 'LdrLoadDLL*') and not (ps.exe imatches
       (
         '?:\\Program Files\\*.exe',
         '?:\\Program Files (x86)\\*.exe'
       )
         or
-      (ps.exe imatches 'C:\\Windows\\System32\\svchost.exe' and ps.args intersects ('-k', 'DcomLaunch'))
+      (ps.exe imatches '?:\\Windows\\System32\\svchost.exe' and ps.args intersects ('-k', 'DcomLaunch'))
         or
-      (ps.cmdline imatches '?:\\Windows\\Microsoft.NET\\Framework\\*\\ngen.exe ExecuteQueuedItems /LegacyServiceBehavior')
+      (ps.cmdline imatches '"?:\\Windows\\Microsoft.NET\\Framework\\*\\ngen.exe" ExecuteQueuedItems /LegacyServiceBehavior')
      )
     | by thread.pid
     |(load_unsigned_or_untrusted_dll)