Rule : Detection of NtMapViewOfSection Remote API Call
Nt Map View Of Section Detection Rule
Query
DeviceEvents
| where ActionType has_any('NtMapViewOfSectionRemoteApiCall')
| where FileName != "firefox.exe" and FileName != "MicrosoftEdgeCP.exe"About this query
Explanation
This query is designed to detect suspicious use of the NtMapViewOfSection function, which can be used for process injection—a technique where malicious code is executed within the context of another process. The query specifically looks for events where this function is called remotely, excluding legitimate uses by Firefox and Microsoft Edge processes. This helps identify potential malicious activities early on.
