From 894b829fd9874918fa73a6744995ba32257edb5d Mon Sep 17 00:00:00 2001
From: kevross33 <kevross33@gmail.com>
Date: Tue, 3 Jul 2018 14:55:43 +0100
Subject: [PATCH] Remove non-child in createthread sig

Same as before. Non-child process changed to "remote" as this is more accurate to what the signature is doing
---
 modules/signatures/windows/injection_thread.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/signatures/windows/injection_thread.py b/modules/signatures/windows/injection_thread.py
index ff1c54574..0a7fb0602 100644
--- a/modules/signatures/windows/injection_thread.py
+++ b/modules/signatures/windows/injection_thread.py
@@ -17,7 +17,7 @@
 
 class InjectionCreateRemoteThread(Signature):
     name = "injection_createremotethread"
-    description = "Creates a thread using CreateRemoteThread in a non-child process indicative of process injection"
+    description = "Creates a thread using CreateRemoteThread in a remote process indicative of process injection"
     severity = 3
     categories = ["injection"]
     authors = ["Kevin Ross"]
@@ -36,7 +36,7 @@ def on_call(self, call, process):
             if not call_process or call_process["ppid"] != process["pid"] and process["pid"] != injected_pid:
                 self.mark_ioc(
                     "Process injection",
-                    "Process %s created a remote thread in non-child process %s" % (process["pid"],
+                    "Process %s created a remote thread in remote process %s" % (process["pid"],
                                                                injected_pid)
                 )
                 self.mark_call()