CreateRemoteThread
CreateRemoteThread is a Windows API function that allows a program to create a new thread in the address space of another process. This can be used for a variety of purposes, both legitimate and malicious.
Bad actors may use CreateRemoteThread to inject malicious code into a legitimate process, allowing them to evade detection and persist on a system. For example, a malware that uses CreateRemoteThread to inject itself into a system process such as explorer.exe or svchost.exe would be able to run with the same permissions as the host process, making it more difficult to detect and remove.
Another example is a attackers can use CreateRemoteThread to inject a DLL into a running process which will execute the malicious code inside the process with the same privilege level as the process itself, which can be used to perform various malicious activities such as keylogging, privilege escalation, or downloading additional malware.
It is important to note that CreateRemoteThread can be used for legitimate purposes as well, such as for debugging or for inter-process communication. However, it can also be abused by attackers to compromise a system.
Through official Microsoft Developer Network (MSDN).
Featured in Techniques
| Technique Name | Technique ID's | Snippet(s) | Rules(s) | OS |
|---|---|---|---|---|
| DLL Injection via CreateRemoteThread and LoadLibrary | U1226 E1055.001 | |||
| PE Injection | U1216 E1055.002 | |||
| File Melt | U1007 | |||
| ProcEnvInjection - Remote code injection by abusing process environment strings | U1235 | |||
| NLS Code Injection Through Registry | U1237 |
Matching Samples 10 most recent
| Sample Name | Matching Techniques | First Seen | Last Seen |
|---|---|---|---|
| firefox.exe | 3 | 2025-04-26 | 2 weeks, 2 days ago |
| test.exe | 7 | 2024-12-06 | 5 months ago |
| al-khaser.exe | 24 | 2024-11-13 | 5 months, 4 weeks ago |
| sample_.exe | 7 | 2024-11-14 | 5 months, 4 weeks ago |