Query Details

Rule : Detection of NtMapViewOfSection Remote API Call

Nt Map View Of Section Detection Rule

Query

DeviceEvents 
| where ActionType has_any('NtMapViewOfSectionRemoteApiCall')
| where FileName != "firefox.exe" and FileName != "MicrosoftEdgeCP.exe"

About this query

Explanation

This query is designed to detect suspicious use of the NtMapViewOfSection function, which can be used for process injection—a technique where malicious code is executed within the context of another process. The query specifically looks for events where this function is called remotely, excluding legitimate uses by Firefox and Microsoft Edge processes. This helps identify potential malicious activities early on.

Details

Ali Hussein profile picture

Ali Hussein

Released: July 21, 2024

Tables

DeviceEvents

Keywords

DeviceEventsProcessInjectionNtMapViewOfSectionRemoteAPICallMITREATT&CKSuspiciousActivity

Operators

has_any!=and

MITRE Techniques

Actions

GitHub