Question

Navigate to http://[Target IP]:8000, open the "Search & Reporting" application, and find through an analytics-driven SPL search against all data the source process images that are creating an unusually high number of threads in other processes. Enter the outlier process name as your answer where the number of injected threads is greater than two standard deviations above the average. Answer format: _.exe

index="main" sourcetype="WinEventLog:Sysmon" EventCode=8
| bin _time span=1h
| stats count as thread_count by _time, SourceImage
| eventstats avg(thread_count) as avg_count, stdev(thread_count) as stddev_count
| eval threshold=avg_count + (2 * stddev_count)
| where thread_count > threshold
| sort - thread_count
| table _time, SourceImage, thread_count, avg_count, stddev_count, threshold