uberAgent

Remote Thread Event Properties

The following event properties can be used with create remote thread events in uAQL queries (event type Process.CreateRemoteThread). In addition to the properties listed here, the common properties are applicable, too.

Property name uAQL Data Type Description Platform
Thread.Id Integer The thread identifier of the newly created thread. Win
Thread.Timestamp Integer Event Timestamp Win
Thread.Process.Id Integer The process identifier of the process that runs the newly created thread. Win
Thread.Parent.Id Integer The process identifier of the process that has initiated the remote thread. Win
Thread.StartAddress Integer The absolute address in virtual memory where the function is located. Win
Thread.StartModule String The name of the library where the function that was started is located in. Win
Thread.StartFunctionName String The name of the function that was started as entry point for the new thread. Win
Remote Thread Event Properties

In this article