While we’re finalizing version 6.2 of our user experience monitoring & endpoint security analytics products uberAgent UXM and uberAgent ESA, let’s take a look at a cool new feature: detection of remote thread creation.
Remote thread creation is a common technique used by malware to inject code into other processes that are usually classified as “good” or “safe”. While not every remote thread is malicious, such code injection events can be good indicators of compromise and should be investigated.
uberAgent ESA makes it easy to track remote thread creation by exposing all relevant information via its Activity Monitoring Engine.
uberAgent remote thread creation monitoring collects the following information for any remote thread code injection event:
- Source process: who created the remote thread?
- Target process: in which process was the remote thread created?
- Thread details: which function was started? In which library is this function located? What is the memory address of this function?
- All common information about the target process including Authenticode signature status and other important security metrics are collected, too, of course.
Having this information, it is easy to create Activity Monitoring rules and report any unknown or dangerous remote threads to your SIEM.
This simple Activity Monitoring rule is triggered for every
Process.CreateRemoteThread event. Whenever that happens, the uAQL query
Process.IsSigned == false is executed. If the process that is creating a remote thread is not digitally signed, the uAQL query returns
true and a new SIEM event with the tag
process-create-remote-thread is generated by uberAgent. The SIEM event’s fields include various thread properties such as
[ActivityMonitoringRule] RuleName = Detect remote thread creation from unsigned processes EventType = Process.CreateRemoteThread Query = Process.IsSigned == false Tag = process-create-remote-thread RiskScore = 75 GenericProperty1 = Thread.Id GenericProperty2 = Thread.Timestamp GenericProperty3 = Thread.StartAddress GenericProperty4 = Thread.StartModule GenericProperty5 = Thread.StartFunctionName
There a many ways to load libraries into other processes. One of these techniques simply uses a remote thread and calls the function
LoadLibrary as an entry point of the newly created thread. The following example implements a rule that classifies such events as DLL injection:
[ActivityMonitoringRule] RuleName = Detect remote threads calling LoadLibrary EventType = Process.CreateRemoteThread Query = contains(Thread.StartFunctionName, "LoadLibrary") Tag = process-dll-injection RiskScore = 75 GenericProperty1 = Thread.Id GenericProperty2 = Thread.Timestamp GenericProperty3 = Thread.StartAddress
uberAgent is an innovative Windows and macOS user experience monitoring and endpoint security analytics product. Its highlights include detailed information about boot and logon duration (showing why and when boots/logons are slow), application unresponsiveness detection, network reliability drill-downs, process startup duration, application usage metering, browser performance per website, and remoting protocol insights.
vast limits GmbH is the company behind uberAgent, the innovative user experience monitoring and endpoint security analytics product. vast limits’ customer list includes organizations from industries like finance, healthcare, professional services, and education, ranging from medium-sized businesses to global enterprises. vast limits’ network of qualified solution partners ensures best-in-class service and support anywhere in the world.