uberAgent ESA detects remote thread creation that may be used in malicious attack techniques or suspicious activities such as DLL injections or malicious code execution in remote processes.

Configuration

uberAgent ESA Remote Thread Monitoring is enabled or disabled through a configuration option. The related configuration Stanza is [Miscellaneous].

Configure the setting RemoteThreadMonitoring = false to disable remote thread monitoring.

By default, this option is enabled (requires ESA enabled and Process Startup metrics enabled, too).

Detecting Remote Thread Events

Any remote thread action is queryable with uAQL and its Threat Detection Engine rules.

Example Rule

The following example detects any Remote Thread event and forwards it to your backend, once triggered.

[ActivityMonitoringRule]
# Detect any remote thread creation
RuleName = Detect remote thread creations
EventType = Process.CreateRemoteThread
Query = true
Tag = process-create-remote-thread
RiskScore = 75
GenericProperty1 = Thread.Id
GenericProperty2 = Thread.Timestamp
GenericProperty3 = Thread.StartAddress
GenericProperty4 = Thread.StartModule
GenericProperty5 = Thread.StartFunctionName

However, this general rule may include false positives. There are many cases where remote threads are used that are absolutely not malicious or suspicious. (e.g: debugging applications or OS remote threads)

Therefore it is recommended to filter this with more advanced conditions using Common Event Properties and Remote Event Properties.

uberAgent ESA is shipped with many automatically converted rules from Sigma. This ruleset already includes several useful Remote Thread detection rules.