Rule : Detection of SetThreadContext Remote API Call
Set Thread Context Remote Api Call Query
Query
DeviceEvents
| where ActionType == "SetThreadContextRemoteApiCall"About this query
Rule : Detection of SetThreadContext Remote API Call
Description
This detection rule identifies suspicious usage of the SetThreadContext function for remote API calls. The SetThreadContext function is used to modify the context of a specified thread, which can be leveraged by malicious actors to inject code into another process's address space. This technique allows attackers to execute arbitrary code within the context of another process, potentially leading to unauthorized actions or evasion of security controls. According to the MITRE ATT&CK framework, this technique falls under "Process Injection: Thread Execution Hijacking" (T1055.003).
This rule helps detect and audit suspicious usage of SetThreadContext, providing an early warning for potential malicious activities involving process injection.
Detection Logic
- Monitors
DeviceEventsfor events where:- The
ActionTypeis "SetThreadContextRemoteApiCall".
- The
Tags
- Process Injection
- SetThreadContext
- Remote API Call
- MITRE ATT&CK T1055.003
- Suspicious Activity
Search Query
Explanation
Summary of the Query
Purpose:
The query is designed to detect suspicious activities involving the SetThreadContext function, which can be used by attackers to inject code into another process's address space.
Description:
- Function Monitored:
SetThreadContext - Suspicious Activity: Modifying the context of a thread in another process, which can be used for malicious code injection.
- Potential Impact: Unauthorized actions or evasion of security controls.
- MITRE ATT&CK Technique: Process Injection: Thread Execution Hijacking (T1055.003).
Detection Logic:
- Data Source:
DeviceEvents - Condition: The event's
ActionTypeis "SetThreadContextRemoteApiCall".
Tags:
- Process Injection
- SetThreadContext
- Remote API Call
- MITRE ATT&CK T1055.003
- Suspicious Activity
KQL Query:
DeviceEvents
| where ActionType == "SetThreadContextRemoteApiCall"
This query helps in identifying and auditing potential malicious activities involving the SetThreadContext function, providing an early warning for process injection attempts.
