Remote Thread Monitoring
uberAgent ESA detects remote thread creation that may be used in malicious attack techniques or suspicious activities such as DLL injections or malicious code execution in remote processes.
uberAgent ESA Remote Thread Monitoring is enabled or disabled through a configuration option. The related configuration Stanza is
Configure the setting
RemoteThreadMonitoring = false to disable remote thread monitoring.
By default, this option is enabled (requires ESA enabled and Process Startup metrics enabled, too).
Detecting Remote Thread Events
The following example detects any Remote Thread event and forwards it to your backend, once triggered.
# Detect any remote thread creation
RuleName = Detect remote thread creations
EventType = Process.CreateRemoteThread
Query = true
Tag = process-create-remote-thread
RiskScore = 75
GenericProperty1 = Thread.Id
GenericProperty2 = Thread.Timestamp
GenericProperty3 = Thread.StartAddress
GenericProperty4 = Thread.StartModule
GenericProperty5 = Thread.StartFunctionName
However, this general rule may include false positives. There are many cases where remote threads are used that are absolutely not malicious or suspicious. (e.g: debugging applications or OS remote threads)
uberAgent ESA is shipped with many automatically converted rules from Sigma. This ruleset already includes several useful Remote Thread detection rules.