This detection rule identifies instances of remote thread creation initiated by uncommon or benign processes, which are typically not associated with this behavior. Remote thread creation can be exploited by threat actors for various malicious activities such as privilege escalation, defense evasion, and code injection. The rule leverages Sysmon event code 8 to monitor processes that create a thread in the address space of another process. A comprehensive list of well-known benign processes (like explorer.exe and winword.exe) is included to help filter out false positives that might arise during normal operations. The detection logic employs the Splunk search syntax to filter and analyze relevant Sysmon events and includes specific regex conditions to extract source and target images accurately. By excluding benign combinations of source and target processes, the rule aims to reduce noise, improving detection efficacy while maintaining vigilance against potentially suspicious activities originating from LOLBINs (Living Off The Land Binaries) or LOLBAS (Living Off The Land Binaries and Scripts).