SOC Event Lookup
Event ID 8ProcessP1

Sysmon Event ID 8: CreateRemoteThread

Sysmon Event ID 8 records a process creating a thread in another process and is a high-value telemetry source for investigating process injection and cross-process execution.

Applicable version
Sysmon 1.0 and later; CreateRemoteThread logging must be enabled
Last reviewed
2026-07-10

Trigger Scenarios

Sysmon generates the event when it observes a remote thread creation attempt. The event can be produced by benign debuggers and security tooling as well as by injection techniques.

Key Fields

SourceImage / SourceProcessGuid

The process that created the remote thread. Investigate whether it is expected to interact with the target process and correlate it to Event ID 1.

TargetImage / TargetProcessGuid

The process receiving the new thread. Sensitive targets such as browser, authentication, security, and business application processes deserve role-aware triage.

StartAddress

The thread start address. Addresses in unusual memory regions can support injection analysis, but require memory and module context to interpret correctly.

StartModule / StartFunction

When available, these fields identify the module and exported function associated with the start address. Missing or unexpected module context can be notable.

Common False Positives

  • Endpoint protection, EDR agents, debuggers, accessibility tools, and application instrumentation may create remote threads.
  • Some application frameworks and automation products use cross-process techniques for legitimate integration.
  • A single event without the source process, target role, or follow-on behavior is not sufficient to label as malicious.

Related Events

MITRE ATT&CK Mapping

  • T1055Process Injection

Detection Notes

T1055 injection is concrete when TargetImage is lsass.exe or explorer.exe and StartModule is empty while SourceImage runs from C:\\Users\\ or C:\\Temp\\. An empty StartModule with a remote StartAddress supports shellcode rather than a normal exported function.

Microsoft Sentinel KQL
Sysmon
| where EventID == 8
| where TargetImage has_any ("\\lsass.exe", "\\explorer.exe", "\\chrome.exe", "\\msedge.exe")
| project TimeGenerated, Computer, SourceImage, TargetImage, StartAddress, StartModule, StartFunction
| order by TimeGenerated desc
Splunk SPL
index=sysmon EventCode=8
| search TargetImage IN ("*\\lsass.exe", "*\\explorer.exe", "*\\chrome.exe", "*\\msedge.exe")
| table _time, host, SourceImage, TargetImage, StartAddress, StartModule, StartFunction
Sample Log
UtcTime: 2026-07-10 03:20:18.000
SourceImage: C:\Users\jsmith\AppData\Local\Temp\updater.exe
TargetImage: C:\Windows\explorer.exe
StartAddress: 0x000001F4A1230000
StartModule: 
StartFunction: 

Source