Sysmon Event ID 8

Source

8: CreateRemoteThread

This is an event from Sysmon.

On this page

Description of this event
Field level details
Examples
Mini-seminars on this event

The CreateRemoteThread event detects when a process creates a thread in another process. This technique is used by malware to inject code and hide in other processes. The event indicates the source and target process. It gives information on the code that will be run in the new thread: StartAddress, StartModule and StartFunction. Note that StartModule and StartFunction fields are inferred, they might be empty if the starting address is outside loaded modules or known exported functions.

Free Security Log Resources by Randy

Description Fields in 8

Log Name
Source
Date
Event ID
Task Category
Level
Keywords
User
Computer
Description
UtcTime
SourceProcessGuid
SourceProcessId
SourceImage
TargetProcessGuid
TargetProcessId
TargetImage
NewThreadId
StartAddress
StartModule
StartFunction

Supercharger Enterprise

Load Balancing for Windows Event Collection

Examples of 8

CreateRemoteThread detected:
UtcTime: 2017-05-13 22:53:43.214
SourceProcessGuid: {a23eae89-8e6d-5917-0000-0010dfaf5004}
SourceProcessId: 8804
SourceImage: C:\Program Files (x86)\Microsoft Visual Studio 14.0\Common7\IDE\Remote Debugger\x64\msvsmon.exe
TargetProcessGuid: {a23eae89-8e5a-5917-0000-00100e3e4d04}
TargetProcessId: 2024
TargetImage: C:\repos\Supercharger\Mtg.Supercharger.ControllerService\bin\x64\Debug\Mtg.Supercharger.ControllerService.exe
NewThreadId: 20532
StartAddress: 0x00007FFB09321970
StartModule: C:\Windows\SYSTEM32\ntdll.dll
StartFunction: DbgUiRemoteBreakin

Event XML:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

<System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>8</EventID>
<Version>2</Version>
<Level>4</Level>
<Task>8</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2017-05-13T22:53:43.214864300Z" />
<EventRecordID>739823</EventRecordID>
<Correlation />
<Execution ProcessID="2848" ThreadID="3520" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>rfsH.lab.local</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="UtcTime">2017-05-13 22:53:43.214</Data>
<Data Name="SourceProcessGuid">{A23EAE89-8E6D-5917-0000-0010DFAF5004}</Data>
<Data Name="SourceProcessId">8804</Data>
<Data Name="SourceImage">C:\Program Files (x86)\Microsoft Visual Studio 14.0\Common7\IDE\Remote Debugger\x64\msvsmon.exe</Data>
<Data Name="TargetProcessGuid">{A23EAE89-8E5A-5917-0000-00100E3E4D04}</Data>
<Data Name="TargetProcessId">2024</Data>
<Data Name="TargetImage">C:\repos\Supercharger\Mtg.Supercharger.ControllerService\bin\x64\Debug\Mtg.Supercharger.ControllerService.exe</Data>
<Data Name="NewThreadId">20532</Data>
<Data Name="StartAddress">0x00007FFB09321970</Data>
<Data Name="StartModule">C:\Windows\SYSTEM32\ntdll.dll</Data>
<Data Name="StartFunction">DbgUiRemoteBreakin</Data>
</EventData>
</Event>

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection

Mini-Seminars Covering Event ID 8

Upcoming Webinars

Anatomy of a Cloud Hack: The Cloudflare/Okta Compromise – A Story of Tokens, Lateral Movement, Persistence and the Salvation of Zero Trust and Hard MFA Tokens

Additional Resources

Encyclopedia

•	Event IDs
•	All Event IDs
•	Audit Policy

Go To Event ID:

Must be a 1-5 digit number No such event ID

Security Log
Quick Reference
Chart
Download now!

User name:
Password:
	/ Forgot?
	Register

April 2024 Patch Tuesday	"Patch Tuesday - One Zero Day and Record Number of Patches! " - sponsored by LOGbinder

Follow @randyfsmith

About | Newsletter | Contact

Ultimate IT Security is a division of Monterey Technology Group, Inc. ©2006-2024 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. For complaints, please contact abuse@ultimatewindowssecurity.com.