Suggest updating line 55 in sysmon_parse.cmd to include ID 8, added to Sysmon on 20 JUL 2015 to identify CreateRemoteThread events.
Suggested change as follows:
tools\logparser\logparser -i:evt -o:csv "Select RecordNumber,TOUTCTIME(TimeGenerated),EventID,SourceName,ComputerName,SID,Strings from %src% WHERE EventID in ('1';'2';'3';'4';'5';'6';'7';'8')" > Results%dtstamp%\sysmon_parsed.txt
mattchurchill
commented
9 years ago
Greetings.
Suggest updating line 55 in sysmon_parse.cmd to include ID 8, added to Sysmon on 20 JUL 2015 to identify CreateRemoteThread events. Suggested change as follows: tools\logparser\logparser -i:evt -o:csv "Select RecordNumber,TOUTCTIME(TimeGenerated),EventID,SourceName,ComputerName,SID,Strings from %src% WHERE EventID in ('1';'2';'3';'4';'5';'6';'7';'8')" > Results%dtstamp%\sysmon_parsed.txt
Cheers.