Skip to main content

vast limits GmbH and uberAgent are now part of Citrix, a business unit of Cloud Software Group. Learn more at Citrix.com.

uberAgent

uberAgent 6.2 Preview: Monitor Remote Thread Creation

  • by Sven Scharmentke
  • August 25, 2021

While we’re finalizing version 6.2 of our user experience monitoring & endpoint security analytics products uberAgent UXM and uberAgent ESA, let’s take a look at a cool new feature: detection of remote thread creation.

What Is Remote Thread Creation?

Remote thread creation is a common technique used by malware to inject code into other processes that are usually classified as “good” or “safe”. While not every remote thread is malicious, such code injection events can be good indicators of compromise and should be investigated.

uberAgent ESA makes it easy to track remote thread creation by exposing all relevant information via its Threat Detection Engine.

Which Data Is Collected by Remote Thread Creation Monitoring?

uberAgent remote thread creation monitoring collects the following information for any remote thread code injection event:

  • Source process: who created the remote thread?
  • Target process: in which process was the remote thread created?
  • Thread details: which function was started? In which library is this function located? What is the memory address of this function?
  • All common information about the target process including Authenticode signature status and other important security metrics are collected, too, of course.

Having this information, it is easy to create Threat Detection rules and report any unknown or dangerous remote threads to your SIEM.

Configuring Remote Thread Creation Monitoring

Example: Report Any Remote Threads of Processes That Are Not Digitally Signed

This simple Threat Detection rule is triggered for every Process.CreateRemoteThread event. Whenever that happens, the uAQL query Process.IsSigned == false is executed. If the process that is creating a remote thread is not digitally signed, the uAQL query returns true and a new SIEM event with the tag process-create-remote-thread is generated by uberAgent. The SIEM event’s fields include various thread properties such as Thread.StartModule.

[ActivityMonitoringRule]
RuleName = Detect remote thread creation from unsigned processes
EventType = Process.CreateRemoteThread
Query = Process.IsSigned == false
Tag = process-create-remote-thread
RiskScore = 75
GenericProperty1 = Thread.Id
GenericProperty2 = Thread.Timestamp
GenericProperty3 = Thread.StartAddress
GenericProperty4 = Thread.StartModule
GenericProperty5 = Thread.StartFunctionName

Example: Detect DLL Injections and Tag Them

There a many ways to load libraries into other processes. One of these techniques simply uses a remote thread and calls the function LoadLibrary as an entry point of the newly created thread. The following example implements a rule that classifies such events as DLL injection:

[ActivityMonitoringRule]
RuleName = Detect remote threads calling LoadLibrary
EventType = Process.CreateRemoteThread
Query = contains(Thread.StartFunctionName, "LoadLibrary")
Tag = process-dll-injection
RiskScore = 75
GenericProperty1 = Thread.Id
GenericProperty2 = Thread.Timestamp
GenericProperty3 = Thread.StartAddress

About uberAgent

The uberAgent product family offers innovative digital employee experience monitoring and endpoint security analytics for Windows and macOS.

uberAgent UXM highlights include detailed information about boot and logon duration, application unresponsiveness detection, network reliability drill-downs, process startup duration, application usage metering, browser performance, web app metrics, and Citrix insights. All these varied aspects of system performance and reliability are smartly brought together in the Experience Score dashboard.

uberAgent ESA excels with a sophisticated Threat Detection Engine, endpoint security & compliance rating, the uAQL query language, detection of risky activity, DNS query monitoring, hash calculation, registry monitoring, and Authenticode signature verification. uberAgent ESA comes with Sysmon and Sigma rule converters, a graphical rule editor, and uses a simple yet powerful query language instead of XML.

About vast limits

vast limits GmbH is the company behind uberAgent, the innovative digital employee experience monitoring and endpoint security analytics product. vast limits’ customer list includes organizations from industries like finance, healthcare, professional services, and education, ranging from medium-sized businesses to global enterprises. vast limits’ network of qualified solution partners ensures best-in-class service and support anywhere in the world.

Comments

Your email address will not be published. Required fields are marked *