Event ID 8 — CreateRemoteThread

Provider: Microsoft-Windows-Sysmon
Channel: Operational
Level: Informational
Collection Priority: Recommended (Palantir, others)
Task: CreateRemoteThread detected (rule: CreateRemoteThread)
Opcode: Info

Description

The CreateRemoteThread event detects when a process creates a thread in another process.

Message #

CreateRemoteThread detected:
RuleName: %1
UtcTime: %2
SourceProcessGuid: %3
SourceProcessId: %4
SourceImage: %5
TargetProcessGuid: %6
TargetProcessId: %7
TargetImage: %8
NewThreadId: %9
StartAddress: %10
StartModule: %11
StartFunction: %12
SourceUser: %13
TargetUser: %14

Fields #

Name	Description
`RuleName` UnicodeString → string	Custom tag mapped to event, i.e. ATT&CK technique ID
`UtcTime` UnicodeString → string	Time in UTC when event was created
`SourceProcessGuid` GUID → GUID	Process GUID of the source process that created a thread in another process
`SourceProcessId` UInt32 → PID	Process ID used by the OS to identify the source process that created a thread in another process
`SourceImage` UnicodeString → string	File path of the source process that created a thread in another process
`TargetProcessGuid` GUID → GUID	Process GUID of the target process
`TargetProcessId` UInt32 → PID	Process ID used by the OS to identify the target process
`TargetImage` UnicodeString → string	File path of the target process
`NewThreadId` UInt32 → unsignedInt	ID of the new thread created in the target process
`StartAddress` UnicodeString → string	New thread start address
`StartModule` UnicodeString → string	Module where the new thread starts execution, resolved from the thread start address
`StartFunction` UnicodeString → string	Exported function where the new thread starts, if the start address matches a known export
`SourceUser` UnicodeString → string	Name of the account of the source process that created a thread in another process.
`TargetUser` UnicodeString → string	Name of the account of the target process

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Sysmon",
    "guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
    "event_source_name": "",
    "event_id": 8,
    "version": 2,
    "level": 4,
    "task": 8,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-06T01:44:42.883662+00:00",
    "event_record_id": 1356672,
    "correlation": {},
    "execution": {
      "process_id": 7064,
      "thread_id": 9788
    },
    "channel": "Microsoft-Windows-Sysmon/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "RuleName": "-",
    "UtcTime": "2023-11-06 01:44:42.882",
    "SourceProcessGuid": "E56ADA26-17ED-6548-0900-000000000D00",
    "SourceProcessId": 644,
    "SourceImage": "C:\\Windows\\System32\\csrss.exe",
    "TargetProcessGuid": "E56ADA26-4257-6548-200A-000000000D00",
    "TargetProcessId": 21332,
    "TargetImage": "C:\\Program Files\\PowerShell\\7\\pwsh.exe",
    "NewThreadId": 21912,
    "StartAddress": "0x00007FFAF7117550",
    "StartModule": "C:\\Windows\\System32\\KERNELBASE.dll",
    "StartFunction": "CtrlRoutine",
    "SourceUser": "NT AUTHORITY\\SYSTEM",
    "TargetUser": "WINDEV2310EVAL\\User"
  },
  "message": ""
}

Detection Patterns #

Execution: User Execution

Defender-DeviceEvents Event ID 9007004: CreateRemoteThread API callORSysmon Event ID 8: CreateRemoteThread

1 rule

Kusto Query Language

Suspicious Process Injection from Office application (source)

Community Notes #

CreateRemoteThread. Detects some process-injection methods.

Detection Rules #

View all rules referencing this event →

Sigma # view in reference

HackTool - CACTUSTORCH Remote Thread Creation source high: Detects remote thread creation from CACTUSTORCH as described in references.
HackTool - Potential CobaltStrike Process Injection source high: Detects a potential remote threat creation with certain characteristics which are typical for Cobalt Strike beacons
Remote Thread Created In KeePass.EXE source high: Detects remote thread creation in "KeePass.exe" which could indicates potential password dumping activity

Show 8 more (11 total)

Remote Thread Creation In Mstsc.Exe From Suspicious Location source high: Detects remote thread creation in the "mstsc.exe" process by a process located in a potentially suspicious location. This technique is often used by attackers in order to hook some APIs used by DLLs loaded by "mstsc.exe" during RDP authentications in order to steal credentials.
Potential Credential Dumping Attempt Via PowerShell Remote Thread source high: Detects remote thread creation by PowerShell processes into "lsass.exe"
Remote Thread Creation Via PowerShell In Uncommon Target source medium: Detects the creation of a remote thread from a Powershell process in an uncommon target process
Password Dumper Remote Thread in LSASS source high: Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events.
Rare Remote Thread Creation By Uncommon Source Image source high: Detects uncommon processes creating remote threads.
Remote Thread Creation By Uncommon Source Image source medium: Detects uncommon processes creating remote threads.
Remote Thread Creation In Uncommon Target Image source medium: Detects uncommon target processes for remote thread creation
Remote Thread Creation Ttdinject.exe Proxy source high: Detects a remote thread creation of Ttdinject.exe used as proxy

Elastic # view in reference

Process Injection by the Microsoft Build Engine source low: An instance of MSBuild, the Microsoft Build Engine, created a thread in another process. This technique is sometimes used to evade detection or elevate privileges.

Splunk # view in reference

Create Remote Thread In Shell Application source: The following analytic detects suspicious process injection in command shell applications, specifically targeting `cmd.exe` and `powershell.exe`. It leverages Sysmon EventCode 8 to identify the creation of remote threads within these shell processes. This activity is significant because it is a common technique used by malware, such as IcedID, to inject malicious code and execute it within legitimate processes. If confirmed malicious, this behavior could allow an attacker to execute arbitrary code, escalate privileges, or maintain persistence within the environment, posing a severe threat to system security.
Create Remote Thread into LSASS source: The following analytic detects the creation of a remote thread in the Local Security Authority Subsystem Service (LSASS). This behavior is identified using Sysmon EventID 8 logs, focusing on processes that create remote threads in lsass.exe. This activity is significant because it is commonly associated with credential dumping, a tactic used by adversaries to steal user authentication credentials. If confirmed malicious, this could allow attackers to gain unauthorized access to sensitive information, leading to potential compromise of the entire network. Analysts should investigate to differentiate between legitimate tools and potential threats.
Powershell Remote Thread To Known Windows Process source: The following analytic detects suspicious PowerShell processes attempting to inject code into critical Windows processes using CreateRemoteThread. It leverages Sysmon EventCode 8 to identify instances where PowerShell spawns threads in processes like svchost.exe, csrss.exe, and others. This activity is significant as it is commonly used by malware such as TrickBot and offensive tools like Cobalt Strike to execute malicious payloads, establish reverse shells, or download additional malware. If confirmed malicious, this behavior could lead to unauthorized code execution, privilege escalation, and persistent access within the environment.

Show 5 more (8 total)

Rundll32 Create Remote Thread To A Process source: The following analytic detects the creation of a remote thread by rundll32.exe into another process. It leverages Sysmon EventCode 8 logs, specifically monitoring SourceImage and TargetImage fields. This activity is significant as it is a common technique used by malware, such as IcedID, to execute malicious code within legitimate processes, aiding in defense evasion and data theft. If confirmed malicious, this behavior could allow an attacker to execute arbitrary code, escalate privileges, and exfiltrate sensitive information from the compromised host.
Rundll32 CreateRemoteThread In Browser source: The following analytic detects the suspicious creation of a remote thread by rundll32.exe targeting browser processes such as firefox.exe, chrome.exe, iexplore.exe, and microsoftedgecp.exe. This detection leverages Sysmon EventCode 8, focusing on SourceImage and TargetImage fields to identify the behavior. This activity is significant as it is commonly associated with malware like IcedID, which hooks browsers to steal sensitive information such as banking details. If confirmed malicious, this could allow attackers to intercept and exfiltrate sensitive user data, leading to potential financial loss and privacy breaches.
Windows Process Injection Of Wermgr to Known Browser source: The following analytic identifies the suspicious remote thread execution of the wermgr.exe process into known browsers such as firefox.exe, chrome.exe, and others. It leverages Sysmon EventCode 8 logs to detect this behavior by monitoring SourceImage and TargetImage fields. This activity is significant because it is indicative of Qakbot malware, which injects malicious code into legitimate processes to steal information. If confirmed malicious, this activity could allow attackers to execute arbitrary code, escalate privileges, and exfiltrate sensitive data from the compromised host.
Windows Process Injection Remote Thread source: The following analytic detects suspicious remote thread execution in processes such as Taskmgr.exe, calc.exe, and notepad.exe, which may indicate process injection by malware like Qakbot. This detection leverages Sysmon EventCode 8 to identify remote thread creation in specific target processes. This activity is significant as it often signifies an attempt by malware to inject malicious code into legitimate processes, potentially leading to unauthorized code execution. If confirmed malicious, this could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence on the compromised host.
Windows Process Injection With Public Source Path source: The following analytic detects a process from a non-standard file path on Windows attempting to create a remote thread in another process. This is identified using Sysmon EventCode 8, focusing on processes not originating from typical system directories. This behavior is significant as it often indicates process injection, a technique used by adversaries to evade detection or escalate privileges. If confirmed malicious, this activity could allow an attacker to execute arbitrary code within another process, potentially leading to unauthorized actions and further compromise of the system.

References #

Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-8-createremotethread
Example event sourced from https://github.com/NextronSystems/evtx-baseline
OSSEM-DD https://github.com/OTRF/OSSEM-DD/blob/main/windows/sysmon/events/event-8.yml