uberAgent 6.2 Preview: Monitor Remote Thread Creation
While we’re finalizing version 6.2 of our user experience monitoring & endpoint security analytics products uberAgent UXM and uberAgent ESA, let’s take a look at a cool new feature: detection of remote thread creation.
Remote thread creation is a common technique used by malware to inject code into other processes that are usually classified as “good” or “safe”. While not every remote thread is malicious, such code injection events can be good indicators of compromise and should be investigated.
uberAgent ESA makes it easy to track remote thread creation by exposing all relevant information via its Threat Detection Engine.
uberAgent remote thread creation monitoring collects the following information for any remote thread code injection event:
- Source process: who created the remote thread?
- Target process: in which process was the remote thread created?
- Thread details: which function was started? In which library is this function located? What is the memory address of this function?
- All common information about the target process including Authenticode signature status and other important security metrics are collected, too, of course.
Having this information, it is easy to create Threat Detection rules and report any unknown or dangerous remote threads to your SIEM.
This simple Threat Detection rule is triggered for every
Process.CreateRemoteThread event. Whenever that happens, the uAQL query
Process.IsSigned == false is executed. If the process that is creating a remote thread is not digitally signed, the uAQL query returns
true and a new SIEM event with the tag
process-create-remote-thread is generated by uberAgent. The SIEM event’s fields include various thread properties such as
[ActivityMonitoringRule] RuleName = Detect remote thread creation from unsigned processes EventType = Process.CreateRemoteThread Query = Process.IsSigned == false Tag = process-create-remote-thread RiskScore = 75 GenericProperty1 = Thread.Id GenericProperty2 = Thread.Timestamp GenericProperty3 = Thread.StartAddress GenericProperty4 = Thread.StartModule GenericProperty5 = Thread.StartFunctionName
There a many ways to load libraries into other processes. One of these techniques simply uses a remote thread and calls the function
LoadLibrary as an entry point of the newly created thread. The following example implements a rule that classifies such events as DLL injection:
[ActivityMonitoringRule] RuleName = Detect remote threads calling LoadLibrary EventType = Process.CreateRemoteThread Query = contains(Thread.StartFunctionName, "LoadLibrary") Tag = process-dll-injection RiskScore = 75 GenericProperty1 = Thread.Id GenericProperty2 = Thread.Timestamp GenericProperty3 = Thread.StartAddress
The uberAgent product family offers innovative digital employee experience monitoring and endpoint security analytics for Windows and macOS.
uberAgent UXM highlights include detailed information about boot and logon duration, application unresponsiveness detection, network reliability drill-downs, process startup duration, application usage metering, browser performance, web app metrics, and Citrix insights. All these varied aspects of system performance and reliability are smartly brought together in the Experience Score dashboard.
uberAgent ESA excels with a sophisticated Threat Detection Engine, endpoint security & compliance rating, the uAQL query language, detection of risky activity, DNS query monitoring, hash calculation, registry monitoring, and Authenticode signature verification. uberAgent ESA comes with Sysmon and Sigma rule converters, a graphical rule editor, and uses a simple yet powerful query language instead of XML.
About vast limits
vast limits GmbH is the company behind uberAgent, the innovative digital employee experience monitoring and endpoint security analytics product. vast limits’ customer list includes organizations from industries like finance, healthcare, professional services, and education, ranging from medium-sized businesses to global enterprises. vast limits’ network of qualified solution partners ensures best-in-class service and support anywhere in the world.