Sysmon Event ID 8

SourceSysmon
Discussions on Event ID 8
Ask a question about this event

8: CreateRemoteThread

This is an event from Sysmon.

On this page

The CreateRemoteThread event detects when a process creates a thread in another process. This technique is used by malware to inject code and hide in other processes. The event indicates the source and target process. It gives information on the code that will be run in the new thread: StartAddress, StartModule and StartFunction. Note that StartModule and StartFunction fields are inferred, they might be empty if the starting address is outside loaded modules or known exported functions.

Free Security Log Resources by Randy

Description Fields in 8

  • Log Name
  • Source
  • Date
  • Event ID
  • Task Category
  • Level
  • Keywords
  • User
  • Computer
  • Description
  • UtcTime
  • SourceProcessGuid
  • SourceProcessId
  • SourceImage
  • TargetProcessGuid
  • TargetProcessId
  • TargetImage
  • NewThreadId
  • StartAddress
  • StartModule
  • StartFunction

Supercharger Free Edition


Centrally manage WEC subscriptions.

Free.

 

Examples of 8

CreateRemoteThread detected:
UtcTime: 2017-05-13 22:53:43.214
SourceProcessGuid: {a23eae89-8e6d-5917-0000-0010dfaf5004}
SourceProcessId: 8804
SourceImage: C:\Program Files (x86)\Microsoft Visual Studio 14.0\Common7\IDE\Remote Debugger\x64\msvsmon.exe
TargetProcessGuid: {a23eae89-8e5a-5917-0000-00100e3e4d04}
TargetProcessId: 2024
TargetImage: C:\repos\Supercharger\Mtg.Supercharger.ControllerService\bin\x64\Debug\Mtg.Supercharger.ControllerService.exe
NewThreadId: 20532
StartAddress: 0x00007FFB09321970
StartModule: C:\Windows\SYSTEM32\ntdll.dll
StartFunction: DbgUiRemoteBreakin

 

Event XML:
 
 <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

    <System>
        <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
        <EventID>8</EventID>
        <Version>2</Version>
        <Level>4</Level>
        <Task>8</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8000000000000000</Keywords>
        <TimeCreated SystemTime="2017-05-13T22:53:43.214864300Z" />
        <EventRecordID>739823</EventRecordID>
        <Correlation />
        <Execution ProcessID="2848" ThreadID="3520" />
        <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
        <Computer>rfsH.lab.local</Computer>
        <Security UserID="S-1-5-18" />
    </System>
    <EventData>
        <Data Name="UtcTime">2017-05-13 22:53:43.214</Data>
        <Data Name="SourceProcessGuid">{A23EAE89-8E6D-5917-0000-0010DFAF5004}</Data>
        <Data Name="SourceProcessId">8804</Data>
        <Data Name="SourceImage">C:\Program Files (x86)\Microsoft Visual Studio 14.0\Common7\IDE\Remote Debugger\x64\msvsmon.exe</Data>
        <Data Name="TargetProcessGuid">{A23EAE89-8E5A-5917-0000-00100E3E4D04}</Data>
        <Data Name="TargetProcessId">2024</Data>
        <Data Name="TargetImage">C:\repos\Supercharger\Mtg.Supercharger.ControllerService\bin\x64\Debug\Mtg.Supercharger.ControllerService.exe</Data>
        <Data Name="NewThreadId">20532</Data>
        <Data Name="StartAddress">0x00007FFB09321970</Data>
        <Data Name="StartModule">C:\Windows\SYSTEM32\ntdll.dll</Data>
        <Data Name="StartFunction">DbgUiRemoteBreakin</Data>
    </EventData>
</Event>

 

Keep me up-to-date on the Windows Security Log.
Email*:
*We will NOT share this

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection



 

Additional Resources