Elastic Windows Event Explorer


Publisher - Microsoft-Windows-Sysmon

Event ID 8 v2

Message:

CreateRemoteThread detected:
RuleName: %{RuleName}
UtcTime: %{UtcTime}
SourceProcessGuid: %{SourceProcessGuid}
SourceProcessId: %{SourceProcessId}
SourceImage: %{SourceImage}
TargetProcessGuid: %{TargetProcessGuid}
TargetProcessId: %{TargetProcessId}
TargetImage: %{TargetImage}
NewThreadId: %{NewThreadId}
StartAddress: %{StartAddress}
StartModule: %{StartModule}
StartFunction: %{StartFunction}

Event Data:

# Name In Type
Out Type
1 RuleName win:UnicodeString xs:string
2 UtcTime win:UnicodeString xs:string
3 SourceProcessGuid win:GUID xs:GUID
4 SourceProcessId win:UInt32 win:PID
5 SourceImage win:UnicodeString xs:string
6 TargetProcessGuid win:GUID xs:GUID
7 TargetProcessId win:UInt32 win:PID
8 TargetImage win:UnicodeString xs:string
9 NewThreadId win:UInt32 xs:unsignedInt
10 StartAddress win:UnicodeString xs:string
11 StartModule win:UnicodeString xs:string
12 StartFunction win:UnicodeString xs:string

Observed Windows Versions:

Version: 2

Fingerprint: VXKE6LP6B7OL2