kernel32.dll - CreateRemoteThread

⚠️ Critical Risk📁 Windows Native Api🏷️ process injection✅ Verified

#windows-native-api#process-injection#rce#widely-abused

🔧 API Details

Namespace

kernel32.dll

Language

C/C++ (P/Invoke)

Function

CreateRemoteThread

Official Documentation

https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createremotethread

📊 Risk Assessment

Severity

Critical

Prevalence

widespread

Ease of Abuse

medium

Likelihood in Real Attacks

85%

🎯 MITRE ATT&CK Techniques

T1055.001

Click to view on MITRE ATT&CK

⚡ Abuse Scenarios

Remote code injection

Technique: T1055.001

🚨 Common in Campaigns

Execute shellcode in remote process by creating a thread in another process

Code Example:

HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)addr, NULL, 0, NULL);

Detection Difficulty: Medium

🔍 Detection Strategies

Microsoft Defender

HIGH Effectiveness

Suspicious CreateRemoteThread + VirtualAllocEx pattern detection

Splunk/Sysmon

HIGH Effectiveness

Monitor for CreateRemoteThread call followed by thread creation from suspicious memory

🛡️ Mitigation Strategies

policy

HIGH Feasibility

Enable Code Integrity (HVCI) to prevent injection

monitoring

EASY Feasibility

Monitor Sysmon Event ID 8 for CreateRemoteThread

🕵️ Threat Intelligence

👥 APT Groups / Threat Actors

APT28

Lazarus

APT33

🦠 Malware Families

Emotet

IcedID

AsyncRAT

🔨 Tools

Cobalt Strike

Metasploit

Empire

📋 Metadata

API ID

d4f7b037-613f-4778-9ade-408ed11e1466

Created

2026-02-02

Author

Claw