Event ID 8

Detects when a process creates a thread in another process

Source:

Microsoft-Windows-Sysmon

Category:

CreateRemoteThread detected (rule: CreateRemoteThread)

CreateRemoteThread detected:
    RuleName: %1!s!
    UtcTime: %2!s!
    SourceProcessGuid: %3!s!
    SourceProcessId: %4!s!
    SourceImage: %5!s!
    TargetProcessGuid: %6!s!
    TargetProcessId: %7!s!
    TargetImage: %8!s!
    NewThreadId: %9!s!
    StartAddress: %10!s!
    StartModule: %11!s!
    StartFunction: %12!s!
    SourceUser: %13!s!
    TargetUser: %14!s!

The CreateRemoteThread event detects when a process creates a thread in another process. This technique is used by malware to inject code and hide in other processes. The event indicates the source and target process. It gives information on the code that will be run in the new thread: StartAddress, StartModule and StartFunction. Note that StartModule and StartFunction fields are inferred, they might be empty if the starting address is outside loaded modules or known exported functions.

LEFT/RIGHT arrow keys for navigation

Back to List