Navigate to http://[Target IP]:8000, open the “Search & Reporting” application, and find through an analytics-driven SPL search against all data the source process images that are creating an unusually high number of threads in other processes. Enter the outlier process name as your answer where the number of injected threads is greater than two standard deviations above the average. Answer format: _.exe
Hint: Count 
SourceImage
index=* (EventCode=8 OR “CreateRemoteThread” OR “thread creation”) | stats count as ThreadCount by SourceProcess
| eventstats avg(ThreadCount) as avgThreads, stdev(ThreadCount) as stdevThreads
| where ThreadCount > (avgThreads + (2 * stdevThreads))
| table SourceProcess, ThreadCount
then check source image with highest number
index=“main” sourcetype=“WinEventLog:Sysmon” EventCode=8 | bin _time span=1h | stats count as TargetImage by _time, SourceImage | streamstats avg(TargetImage) as avg stdev(TargetImage) as stdev by Image
| sort -TargetImage
Interestingly, the alert contains a Mitre TTP number. One can simply look for the TTP number that is in the alert.
index=“main” sourcetype=“WinEventLog:Sysmon” EventCode=8 “technique_id=T1055”
| table _time, host, TaskCategory, SourceImage, TargetImage