Detection rules › By event

Microsoft-Windows-Sysmon event 8

20 detection rules reference this event. View event page.

Sigma (11)

HackTool - CACTUSTORCH Remote Thread Creation severity high T1055.012, T1059.005, T1059.007, T1218.005
HackTool - Potential CobaltStrike Process Injection severity high T1055.001
Password Dumper Remote Thread in LSASS severity high T1003.001
Potential Credential Dumping Attempt Via PowerShell Remote Thread severity high T1003.001
Rare Remote Thread Creation By Uncommon Source Image severity high T1055
Remote Thread Created In KeePass.EXE severity high T1555.005
Remote Thread Creation By Uncommon Source Image severity medium T1055
Remote Thread Creation In Mstsc.Exe From Suspicious Location severity high
Remote Thread Creation In Uncommon Target Image severity medium T1055.003
Remote Thread Creation Ttdinject.exe Proxy severity high T1127
Remote Thread Creation Via PowerShell In Uncommon Target severity medium T1059.001, T1218.011

Elastic (1)

Process Injection by the Microsoft Build Engine T1055, T1127, T1127.001

Splunk (8)