Sysmon Event ID 8: Create Remote Thread
Caution: Collecting Sysmon events without a tailored configuration for your environment will cause high data volume. These setup instructions would need significant tuning in order to be production-ready. For more specific configurations, we recommend you to explore the following resources:
- https://github.com/trustedsec/SysmonCommunityGuide
- https://github.com/olafhartong/sysmon-modular
- https://github.com/Neo23x0/sysmon-config
Some detection rules use Sysmon Event ID 8 (Create Remote Thread) to detect process injection techniques. Attackers often use process injection to evade defenses, escalate privileges, or execute malicious code in the context of another process, such as for credential dumping.
To collect these logs, use the Windows Integration and select the Sysmon Operational channel on the integration setup page.
The following snippet demonstrates the minimal configuration required to enable Event ID 8 (Create Remote Thread). While this will turn on the event logging, it lacks the necessary filtering for a production environment and will generate significant noise. It should be used as a reference and integrated into a more robust configuration, such as those provided in the resources above.
<Sysmon schemaversion="4.90"> <HashAlgorithms>md5,sha256</HashAlgorithms> <EventFiltering> <!-- Log all remote thread creation events --> <CreateRemoteThread onmatch="exclude"></CreateRemoteThread> </EventFiltering> </Sysmon> Use the following GitHub search to identify rules that use the events generated by this configuration: