CreateRemoteThread

CreateRemoteThread is a Windows API function that allows a program to create a new thread in the address space of another process. This can be used for a variety of purposes, both legitimate and malicious.

Bad actors may use CreateRemoteThread to inject malicious code into a legitimate process, allowing them to evade detection and persist on a system. For example, a malware that uses CreateRemoteThread to inject itself into a system process such as explorer.exe or svchost.exe would be able to run with the same permissions as the host process, making it more difficult to detect and remove.

Another example is a attackers can use CreateRemoteThread to inject a DLL into a running process which will execute the malicious code inside the process with the same privilege level as the process itself, which can be used to perform various malicious activities such as keylogging, privilege escalation, or downloading additional malware.

It is important to note that CreateRemoteThread can be used for legitimate purposes as well, such as for debugging or for inter-process communication. However, it can also be abused by attackers to compromise a system.

Read documentation

Through official Microsoft Developer Network (MSDN).

Featured in Techniques

Technique Name	Technique ID's	Snippet(s)	Rules(s)	OS
DLL Injection via CreateRemoteThread and LoadLibrary	U1226 E1055.001
PE Injection	U1216 E1055.002
File Melt	U1007
ProcEnvInjection - Remote code injection by abusing process environment strings	U1235
NLS Code Injection Through Registry	U1237

Matching Samples 10 most recent

Sample Name	Matching Techniques	First Seen	Last Seen
Lab01-04.exe	6	2025-09-26	1 month, 2 weeks ago
5.exe	9	2025-05-30	5 months, 1 week ago
q.apk.exe	8	2025-05-30	5 months, 1 week ago
cobalt_sample.exe	13	2025-05-25	5 months, 2 weeks ago
firefox.exe	3	2025-04-26	6 months, 2 weeks ago
test.exe	7	2024-12-06	11 months ago
al-khaser.exe	24	2024-11-13	11 months, 4 weeks ago
sample_.exe	7	2024-11-14	11 months, 4 weeks ago

View All