Blog

uberAgent 6.2 Preview: Monitor Remote Thread Creation

While we’re finalizing version 6.2 of our user experience monitoring & endpoint security analytics products uberAgent UXM and uberAgent ESA, let’s take a look at a cool new feature: detection of remote thread creation.

What Is Remote Thread Creation?

Remote thread creation is a common technique used by malware to inject code into other processes that are usually classified as “good” or “safe”. While not every remote thread is malicious, such code injection events can be good indicators of compromise and should be investigated.

uberAgent ESA makes it easy to track remote thread creation by exposing all relevant information via its Activity Monitoring Engine.

Which Data Is Collected by Remote Thread Creation Monitoring?

uberAgent remote thread creation monitoring collects the following information for any remote thread code injection event:

  • Source process: who created the remote thread?
  • Target process: in which process was the remote thread created?
  • Thread details: which function was started? In which library is this function located? What is the memory address of this function?
  • All common information about the target process including Authenticode signature status and other important security metrics are collected, too, of course.

Having this information, it is easy to create Activity Monitoring rules and report any unknown or dangerous remote threads to your SIEM.

Configuring Remote Thread Creation Monitoring

Example: Report Any Remote Threads of Processes That Are Not Digitally Signed

This simple Activity Monitoring rule is triggered for every Process.CreateRemoteThread event. Whenever that happens, the uAQL query Process.IsSigned == false is executed. If the process that is creating a remote thread is not digitally signed, the uAQL query returns true and a new SIEM event with the tag process-create-remote-thread is generated by uberAgent. The SIEM event’s fields include various thread properties such as Thread.StartModule.

[ActivityMonitoringRule]
RuleName = Detect remote thread creation from unsigned processes
EventType = Process.CreateRemoteThread
Query = Process.IsSigned == false
Tag = process-create-remote-thread
RiskScore = 75
GenericProperty1 = Thread.Id
GenericProperty2 = Thread.Timestamp
GenericProperty3 = Thread.StartAddress
GenericProperty4 = Thread.StartModule
GenericProperty5 = Thread.StartFunctionName

Example: Detect DLL Injections and Tag Them

There a many ways to load libraries into other processes. One of these techniques simply uses a remote thread and calls the function LoadLibrary as an entry point of the newly created thread. The following example implements a rule that classifies such events as DLL injection:

[ActivityMonitoringRule]
RuleName = Detect remote threads calling LoadLibrary
EventType = Process.CreateRemoteThread
Query = contains(Thread.StartFunctionName, "LoadLibrary")
Tag = process-dll-injection
RiskScore = 75
GenericProperty1 = Thread.Id
GenericProperty2 = Thread.Timestamp
GenericProperty3 = Thread.StartAddress

About uberAgent

uberAgent is an innovative Windows and macOS user experience monitoring and endpoint security analytics product. Its highlights include detailed information about boot and logon duration (showing why and when boots/logons are slow), application unresponsiveness detection, network reliability drill-downs, process startup duration, application usage metering, browser performance per website, and remoting protocol insights.

About vast limits

vast limits GmbH is the company behind uberAgent, the innovative user experience monitoring and endpoint security analytics product. vast limits’ customer list includes organizations from industries like finance, healthcare, professional services, and education, ranging from medium-sized businesses to global enterprises. vast limits’ network of qualified solution partners ensures best-in-class service and support anywhere in the world.

Leave a Reply

Your email address will not be published. Required fields are marked *