Query Details

Rule : Detection of SetThreadContext Remote API Call

Set Thread Context Remote Api Call Query

Query

DeviceEvents
| where ActionType == "SetThreadContextRemoteApiCall"

About this query

Rule : Detection of SetThreadContext Remote API Call

Description

This detection rule identifies suspicious usage of the SetThreadContext function for remote API calls. The SetThreadContext function is used to modify the context of a specified thread, which can be leveraged by malicious actors to inject code into another process's address space. This technique allows attackers to execute arbitrary code within the context of another process, potentially leading to unauthorized actions or evasion of security controls. According to the MITRE ATT&CK framework, this technique falls under "Process Injection: Thread Execution Hijacking" (T1055.003).

This rule helps detect and audit suspicious usage of SetThreadContext, providing an early warning for potential malicious activities involving process injection.

Detection Logic

  • Monitors DeviceEvents for events where:
    • The ActionType is "SetThreadContextRemoteApiCall".

Tags

  • Process Injection
  • SetThreadContext
  • Remote API Call
  • MITRE ATT&CK T1055.003
  • Suspicious Activity

Search Query

Explanation

Summary of the Query

Purpose: The query is designed to detect suspicious activities involving the SetThreadContext function, which can be used by attackers to inject code into another process's address space.

Description:

  • Function Monitored: SetThreadContext
  • Suspicious Activity: Modifying the context of a thread in another process, which can be used for malicious code injection.
  • Potential Impact: Unauthorized actions or evasion of security controls.
  • MITRE ATT&CK Technique: Process Injection: Thread Execution Hijacking (T1055.003).

Detection Logic:

  • Data Source: DeviceEvents
  • Condition: The event's ActionType is "SetThreadContextRemoteApiCall".

Tags:

  • Process Injection
  • SetThreadContext
  • Remote API Call
  • MITRE ATT&CK T1055.003
  • Suspicious Activity

KQL Query:

DeviceEvents
| where ActionType == "SetThreadContextRemoteApiCall"

This query helps in identifying and auditing potential malicious activities involving the SetThreadContext function, providing an early warning for process injection attempts.

Details

Ali Hussein profile picture

Ali Hussein

Released: July 21, 2024

Tables

DeviceEvents

Keywords

DeviceEvents

Operators

==|where

MITRE Techniques

Actions

GitHub