Skip to main content

vast limits GmbH and uberAgent are now part of Citrix, a business unit of Cloud Software Group. Learn more at

This documentation does not apply to the most recent version of uberAgent. Click here for the latest version.

Remote Thread Monitoring

uberAgent ESA detects remote thread creation that may be used in malicious attack techniques or suspicious activities such as DLL injections or malicious code execution in remote processes.


uberAgent ESA Remote Thread Monitoring is enabled or disabled through a configuration option. The related configuration Stanza is [Miscellaneous].

Configure the setting RemoteThreadMonitoring = false to disable remote thread monitoring.

By default, this option is enabled (requires ESA enabled and Process Startup metrics enabled, too).

Detecting Remote Thread Events

Any remote thread action is queryable with uAQL and its Threat Detection Engine rules.

Example Rule

The following example detects any Remote Thread event and forwards it to your backend, once triggered.

# Detect any remote thread creation
RuleName = Detect remote thread creations
EventType = Process.CreateRemoteThread
Query = true
Tag = process-create-remote-thread
RiskScore = 75
GenericProperty1 = Thread.Id
GenericProperty2 = Thread.Timestamp
GenericProperty3 = Thread.StartAddress
GenericProperty4 = Thread.StartModule
GenericProperty5 = Thread.StartFunctionName

However, this general rule may include false positives. There are many cases where remote threads are used that are absolutely not malicious or suspicious. (e.g: debugging applications or OS remote threads)

Therefore it is recommended to filter this with more advanced conditions using Common Event Properties and Remote Event Properties.

uberAgent ESA is shipped with many automatically converted rules from Sigma. This ruleset already includes several useful Remote Thread detection rules.


Your email address will not be published. Required fields are marked *