Event ID 9007004 — CreateRemoteThread API call

Provider: Defender-DeviceEvents
Channel: CreateRemoteThreadApiCall

Description

CreateRemoteThread API call

Fields #

Name	Description
`DeviceId`	—
`Timestamp`	—
`ProcessId`	—
`InitiatingProcessFileName`	—

Detection Patterns #

Execution: User Execution

Defender-DeviceEvents Event ID 9007004: CreateRemoteThread API callORSysmon Event ID 8: CreateRemoteThread

1 rule

Kusto Query Language

Suspicious Process Injection from Office application (source)

References #

Microsoft Defender XDR — advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table