Detection rules › By event
Microsoft-Windows-Sysmon Event ID 8
Sigma (15)
- CreateRemoteThread API and LoadLibrary
- HackTool - CACTUSTORCH Remote Thread Creation
- HackTool - Potential CobaltStrike Process Injection
- Password Dumper Remote Thread in LSASS
- Potential Bumblebee Remote Thread Creation
- Potential Credential Dumping Attempt Via PowerShell Remote Thread
- Rare Remote Thread Creation By Uncommon Source Image
- Remote Thread Created In KeePass.EXE
- Remote Thread Created In Shell Application
- Remote Thread Creation By Uncommon Source Image
- Remote Thread Creation In Mstsc.Exe From Suspicious Location
- Remote Thread Creation In Uncommon Target Image
- Remote Thread Creation Ttdinject.exe Proxy
- Remote Thread Creation Via PowerShell
- Remote Thread Creation Via PowerShell In Uncommon Target
Elastic (1)
Splunk (11)
- Create Remote Thread In Shell Application
- Create Remote Thread into LSASS
- Powershell Remote Thread To Known Windows Process
- Rare Remote Thread (Sysmon)
- Remote Thread Created by Uncommon Process (Sysmon)
- Remote Thread from Suspicious Folder (Sysmon)
- Rundll32 Create Remote Thread To A Process
- Rundll32 CreateRemoteThread In Browser
- Windows Process Injection Of Wermgr to Known Browser
- Windows Process Injection Remote Thread
- Windows Process Injection With Public Source Path