A thread of execution is the smallest sequence of programmed instructions that can be managed independently by a scheduler, which is typically part of the operating system. A thread is typically a component of a process. Multiple threads can exist within the same process and share resources such as memory, while different processes do not share these resources. The threads of a process share executable code instructions and context, such as the values of variables at any given moment.

Actions

|Action|Description| |—|—| |create|The event corresponding to the act of creating a new thread.| |remote_create|A subset of thread create events that correspond to thread injection, that is, when a process creates a thread in another process. For a remote_create event the src_pid and tgt_pid are different.| |suspend|The event corresponding to the act of suspending a thread which is currently running.| |terminate|The event corresponding to the act of terminating a running thread.|

Fields

|Field|Description|Example| |—|—|—| hostname|The hostname of the active host, without the domain.|HOST1 src_pid|The process ID of the process that created the thread.|6016 src_tid|The thread ID of the thread that created the event.|9012 stack_base|The base address of the thread’s stack.|18446735827508301824 stack_limit|The limit of the thread’s stack.|18446735827508277248 start_address|The memory address at which the thread’s execution starts.|18446735827446645728 start_function|The function at start_address.|LoadLibrary start_module|The module in which start_address resides.|C:\windows\system32\ntdll.dll start_module_name|The short name of the start_module.|ntdll.dll tgt_pid|The process ID of the process in which the new thread runs.|232 tgt_tid|The thread ID of the new thread that was created.|6964 uid|The ID of SID of the user who directly or indirectly acted on the thread|S-1-5-18 user|The user context in which the source thread was running. May be a local, domain or SYSTEM user. Formatted as \. Because threads are allowed to impersonate users, this may be different than the user context of the process.|HOST1\LOCALUSER user_stack_base|The base address of the thread's stack.|0 user_stack_limit|The limit of the thread's stack.|0

Coverage Map

hostname src_pid src_tid stack_base stack_limit start_address start_function start_module start_module_name tgt_pid tgt_tid uid user user_stack_base user_stack_limit
create
remote_create Sysmon Sysmon Sysmon Sysmon Sysmon Sysmon Sysmon Sysmon Sysmon Sysmon Sysmon
suspend
terminate