title: DN_0012_8_windows_sysmon_CreateRemoteThread description: > The CreateRemoteThread event detects when a process creates a thread in another process loggingpolicy: - None references: - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90008 - https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-8.md category: OS Logs platform: Windows type: Applications and Services Logs channel: Microsoft-Windows-Sysmon/Operational provider: Microsoft-Windows-Sysmon fields: - EventID - Computer - Hostname # redundant - UtcTime - SourceProcessGuid - SourceProcessId - SourceImage - TargetProcessGuid - TargetProcessId - TargetImage - NewThreadId - StartAddress - StartModule - StartFunction sample: | - - 8 2 4 8 0 0x8000000000000000 739823 Microsoft-Windows-Sysmon/Operational atc-win-10.atc.local - 2017-05-13 22:53:43.214 {A23EAE89-8E6D-5917-0000-0010DFAF5004} 8804 C:\Program Files (x86)\Microsoft Visual Studio 14.0\Common7\IDE\Remote Debugger\x64\msvsmon.exe {A23EAE89-8E5A-5917-0000-00100E3E4D04} 2024 C:\repos\Supercharger\Mtg.Supercharger.ControllerService\bin\x64\Debug\Mtg.Supercharger.ControllerService.exe 20532 0x00007FFB09321970 C:\Windows\SYSTEM32\ntdll.dll DbgUiRemoteBreakin