Data Source: Sysmon EventID 8

Date: 2025-07-10

ID: df7a786c-ade0-48f0-8596-26f10d169f7d

Author: Patrick Bareiss, Splunk

Description

Logs the creation of a new thread in a process, including details about the thread ID, start address, and source process.

Details

Property	Value
Source	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sourcetype	`XmlWinEventLog`
Separator	EventID

Supported Apps

Splunk Add-on for Sysmon (version 4.0.3)

Event Fields

+ Fields


            1
            _time
          
            3
            Channel
          
            5
            Computer
          
            7
            EventChannel
          
            9
            EventCode
          
            11
            EventData_Xml
          
            13
            EventDescription
          
            15
            EventID
          
            17
            EventRecordID
          
            19
            Guid
          
            21
            Keywords
          
            23
            Level
          
            25
            Name
          
            27
            NewThreadId
          
            29
            Opcode
          
            31
            ProcessID
          
            33
            RecordID
          
            35
            RecordNumber
          
            37
            RuleName
          
            39
            SecurityID
          
            41
            SourceImage
          
            43
            SourceProcessGuid
          
            45
            SourceProcessId
          
            47
            StartAddress
          
            49
            StartFunction
          
            51
            StartModule
          
            53
            SystemTime
          
            55
            System_Props_Xml
          
            57
            TargetImage
          
            59
            TargetProcessGuid
          
            61
            TargetProcessId
          
            63
            Task
          
            65
            ThreadID
          
            67
            TimeCreated
          
            69
            UserID
          
            71
            UtcTime
          
            73
            Version
          
            75
            action
          
            77
            date_hour
          
            79
            date_mday
          
            81
            date_minute
          
            83
            date_month
          
            85
            date_second
          
            87
            date_wday
          
            89
            date_year
          
            91
            date_zone
          
            93
            dest
          
            95
            dvc_nt_host
          
            97
            event_id
          
            99
            eventtype
          
            101
            host
          
            103
            id
          
            105
            index
          
            107
            linecount
          
            109
            os
          
            111
            parent_process_exec
          
            113
            parent_process_guid
          
            115
            parent_process_id
          
            117
            parent_process_name
          
            119
            parent_process_path
          
            121
            process_exec
          
            123
            process_guid
          
            125
            process_id
          
            127
            process_name
          
            129
            process_path
          
            131
            punct
          
            133
            signature
          
            135
            signature_id
          
            137
            source
          
            139
            sourcetype
          
            141
            splunk_server
          
            143
            src_address
          
            145
            src_function
          
            147
            src_module
          
            149
            tag
          
            151
            tag::eventtype
          
            153
            timeendpos
          
            155
            timestartpos
          
            157
            user_id
          
            159
            vendor_product
          
            161

...

not set

Example Log

1<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>8</EventID><Version>2</Version><Level>4</Level><Task>8</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2022-10-27T13:59:12.440938600Z'/><EventRecordID>362233</EventRecordID><Correlation/><Execution ProcessID='2656' ThreadID='2360'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>win-dc-ctus-attack-range-487.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2022-10-27 13:59:12.427</Data><Data Name='SourceProcessGuid'>{3381F800-8EB0-635A-1306-000000008A02}</Data><Data Name='SourceProcessId'>4864</Data><Data Name='SourceImage'>C:\Windows\SysWOW64\wermgr.exe</Data><Data Name='TargetProcessGuid'>{3381F800-8085-635A-2701-000000008A02}</Data><Data Name='TargetProcessId'>5572</Data><Data Name='TargetImage'>C:\Windows\System32\Taskmgr.exe</Data><Data Name='NewThreadId'>4964</Data><Data Name='StartAddress'>0x0000000000C20000</Data><Data Name='StartModule'>-</Data><Data Name='StartFunction'>-</Data></EventData></Event>

Source: GitHub | Version: 3