T1055.004 Asynchronous Procedure Call Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// Detect APC injection: suspended process creation followed by remote thread/APC execution
// Early Bird pattern: CreateProcess(SUSPENDED) -> WriteProcessMemory -> QueueUserAPC -> ResumeThread
let SuspiciousParents = dynamic(["powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe"]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine == "" or ProcessCommandLine == FileName
| where InitiatingProcessFileName in~ (SuspiciousParents)
| where FileName in~ ("svchost.exe", "rundll32.exe", "EhStorAuthn.exe", "ctfmon.exe", "conhost.exe", "dllhost.exe")
| join kind=leftouter (
    DeviceEvents
    | where Timestamp > ago(24h)
    | where ActionType == "CreateRemoteThreadApiCall"
    | project ThreadTime=Timestamp, DeviceName, TargetProcessId=ProcessId, InjectorProcess=InitiatingProcessFileName
) on DeviceName, $left.ProcessId == $right.TargetProcessId
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessId, InjectorProcess
| sort by Timestamp desc

critical severity high confidence

Data Sources

Process: Process Creation Process: OS API Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceEvents

False Positives

Legitimate COM object activation spawning dllhost.exe with minimal command lines
Service Control Manager spawning svchost.exe instances
Windows Update creating suspended processes for staged updates
Application installers spawning helper processes in suspended state for configuration

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=10
| where GrantedAccess IN ("0x1FFFFF", "0x001F0FFF", "0x1F3FFF", "0x1410", "0x143A", "0x1F1FFF")
| rename SourceImage as APCInjector, TargetImage as APCTarget
| eval InjectorName=mvindex(split(APCInjector, "\\"), -1)
| search InjectorName IN ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe") OR NOT APCInjector="C:\\Windows\\*"
| eval EarlyBirdTarget=if(match(APCTarget, "(?i)(svchost|rundll32|EhStorAuthn|ctfmon|conhost|dllhost)\.exe$"), "Yes", "No")
| eval AlertLevel=case(
    EarlyBirdTarget="Yes" AND NOT APCInjector="C:\\Windows\\*", "Critical - Likely Early Bird injection",
    EarlyBirdTarget="Yes", "High - Suspicious APC target process",
    1=1, "Medium - Cross-process access with injection-capable rights"
)
| table _time, host, User, APCInjector, APCTarget, GrantedAccess, EarlyBirdTarget, AlertLevel
| sort - _time

critical severity high confidence

Data Sources

Process: Process Access Sysmon Event ID 10

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate COM/DCOM activation accessing dllhost.exe
Service Control Manager operations on svchost.exe
Windows Error Reporting accessing process threads
System management tools performing health checks on service processes

Elastic Security (EQL)

eql

process where event.action == "process_accessed" and
  winlog.event_id == 10 and
  winlog.event_data.GrantedAccess in ("0x1FFFFF", "0x001F0FFF", "0x1F3FFF", "0x1410", "0x143A", "0x1F1FFF") and
  (
    winlog.event_data.SourceImage like~ ("*\\powershell.exe", "*\\cmd.exe", "*\\wscript.exe",
      "*\\cscript.exe", "*\\mshta.exe", "*\\rundll32.exe", "*\\regsvr32.exe") or
    not winlog.event_data.SourceImage like "C:\\Windows\\*"
  ) and
  winlog.event_data.TargetImage like~ ("*\\svchost.exe", "*\\rundll32.exe", "*\\EhStorAuthn.exe",
    "*\\ctfmon.exe", "*\\conhost.exe", "*\\dllhost.exe")

high severity high confidence

Data Sources

Microsoft-Windows-Sysmon/Operational Elastic Endpoint Security winlogbeat

Required Tables

logs-endpoint.events.process-* winlogbeat-* .ds-logs-windows.sysmon_operational-*

False Positives

Legitimate EDR and AV agents (CrowdStrike Falcon, SentinelOne, Carbon Black) that open PROCESS_ALL_ACCESS handles to svchost.exe, conhost.exe, and dllhost.exe for in-memory scanning and behavioral monitoring
Sysinternals tools (Process Explorer, ProcMon) and administrative debuggers (WinDbg, x64dbg) opened by administrators that request high-privilege cross-process access for legitimate system inspection
Software deployment tools (SCCM, Tanium, Ansible) invoked via PowerShell or cmd.exe that perform in-memory operations against services hosted within svchost.exe during patch and policy enforcement cycles

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS "Event Time",
  logsourcename(logsourceid) AS "Log Source",
  devicehostname AS "Host",
  username AS "User",
  "SourceImage" AS "Injector",
  "TargetImage" AS "Target",
  "GrantedAccess" AS "Access Rights",
  CASE
    WHEN (LOWER("TargetImage") LIKE '%svchost.exe'
      OR LOWER("TargetImage") LIKE '%rundll32.exe'
      OR LOWER("TargetImage") LIKE '%ehstorauthn.exe'
      OR LOWER("TargetImage") LIKE '%ctfmon.exe'
      OR LOWER("TargetImage") LIKE '%conhost.exe'
      OR LOWER("TargetImage") LIKE '%dllhost.exe')
      AND "SourceImage" NOT LIKE 'C:\\Windows\\%'
    THEN 'Critical - Likely Early Bird APC Injection'
    WHEN LOWER("TargetImage") LIKE '%svchost.exe'
      OR LOWER("TargetImage") LIKE '%rundll32.exe'
      OR LOWER("TargetImage") LIKE '%ehstorauthn.exe'
      OR LOWER("TargetImage") LIKE '%ctfmon.exe'
      OR LOWER("TargetImage") LIKE '%conhost.exe'
      OR LOWER("TargetImage") LIKE '%dllhost.exe'
    THEN 'High - Suspicious APC Target Process'
    ELSE 'Medium - Injection-Capable Cross-Process Access'
  END AS "Alert Level"
FROM events
WHERE eventid = 10
  AND "GrantedAccess" IN ('0x1FFFFF', '0x001F0FFF', '0x1F3FFF', '0x1410', '0x143A', '0x1F1FFF')
  AND (
    LOWER("SourceImage") LIKE '%\\powershell.exe'
    OR LOWER("SourceImage") LIKE '%\\cmd.exe'
    OR LOWER("SourceImage") LIKE '%\\wscript.exe'
    OR LOWER("SourceImage") LIKE '%\\cscript.exe'
    OR LOWER("SourceImage") LIKE '%\\mshta.exe'
    OR LOWER("SourceImage") LIKE '%\\rundll32.exe'
    OR LOWER("SourceImage") LIKE '%\\regsvr32.exe'
    OR "SourceImage" NOT LIKE 'C:\\Windows\\%'
  )
ORDER BY devicetime DESC
LAST 24 HOURS

high severity high confidence

Data Sources

Microsoft-Windows-Sysmon/Operational Windows Security Event Log

Required Tables

events

False Positives

Endpoint protection platforms installed to non-standard paths outside C:\Windows\ that require PROCESS_ALL_ACCESS to inspect memory of svchost.exe, conhost.exe, and dllhost.exe as part of their monitoring function
Microsoft SCCM and Intune management agents that launch PowerShell or cmd.exe wrappers opening high-privilege handles to Windows service host processes during software distribution and compliance enforcement
Performance monitoring and APM agents (Dynatrace OneAgent, AppDynamics) that attach to dllhost.exe, conhost.exe, or ctfmon.exe with elevated process access for profiling and telemetry instrumentation

Sumo Logic CSE

sql

(_sourceCategory="*sysmon*" OR _sourceCategory="*windows*")
| where EventID = 10
| where GrantedAccess in ("0x1FFFFF", "0x001F0FFF", "0x1F3FFF", "0x1410", "0x143A", "0x1F1FFF")
| where SourceImage matches /(?i).*(powershell|cmd|wscript|cscript|mshta|rundll32|regsvr32)\.exe$/ OR !(SourceImage matches /(?i)^[Cc]:\\[Ww]indows\\/)
| if (TargetImage matches /(?i).*(svchost|rundll32|EhStorAuthn|ctfmon|conhost|dllhost)\.exe$/, "Yes", "No") as EarlyBirdTarget
| if (EarlyBirdTarget = "Yes", if(!(SourceImage matches /(?i)^[Cc]:\\[Ww]indows\\/), "Critical - Likely Early Bird APC Injection", "High - Suspicious APC Target Process"), "Medium - Cross-Process Injection-Capable Access") as AlertLevel
| fields _messageTime, Computer, User, SourceImage, TargetImage, GrantedAccess, EarlyBirdTarget, AlertLevel
| sort by _messageTime desc

high severity high confidence

Data Sources

Microsoft-Windows-Sysmon/Operational via Sumo Logic Installed Collector Windows Event Log via Sumo Logic

Required Tables

_sourceCategory with Sysmon operational logs (EventID 10)

False Positives

Security tooling deployed outside C:\Windows\ (e.g., third-party EDR sensors, vulnerability scanners installed to C:\Program Files\) that open PROCESS_ALL_ACCESS handles to svchost.exe or dllhost.exe during their normal monitoring routines
IT automation scripts running via PowerShell or wscript.exe that interact with Windows service-hosted COM servers in dllhost.exe or perform legitimate WMI-based service interaction requiring elevated process access
Application performance monitoring probes executed from scripting engines that attach to conhost.exe or ctfmon.exe as subprocess helpers for input method or console telemetry collection

Google Chronicle / SecOps

yaral

rule t1055_004_apc_injection_process_access {
  meta:
    author = "Detection Engineering"
    description = "Detects T1055.004 APC Injection via cross-process access with injection-capable rights targeting common Early Bird victim processes"
    severity = "HIGH"
    mitre_attack_tactic = "Defense Evasion, Privilege Escalation"
    mitre_attack_technique = "T1055.004"
    confidence = "high"
    reference = "https://attack.mitre.org/techniques/T1055/004/"

  events:
    $e.metadata.event_type = "PROCESS_OPEN"
    $e.target.process.file.full_path = /(?i)(svchost|rundll32|EhStorAuthn|ctfmon|conhost|dllhost)\.exe$/
    (
      $e.principal.process.file.full_path = /(?i)(powershell|cmd|wscript|cscript|mshta|rundll32|regsvr32)\.exe$/ or
      not $e.principal.process.file.full_path = /(?i)^c:\\windows\\/
    )
    (
      $e.target.process.access_mask = "0x1FFFFF" or
      $e.target.process.access_mask = "0x001F0FFF" or
      $e.target.process.access_mask = "0x1F3FFF" or
      $e.target.process.access_mask = "0x1410" or
      $e.target.process.access_mask = "0x143A" or
      $e.target.process.access_mask = "0x1F1FFF"
    )
    $e.principal.hostname = $hostname

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle UDM (PROCESS_OPEN events) Sysmon via Chronicle Forwarder Microsoft Defender for Endpoint via Chronicle connector

Required Tables

UDM events with metadata.event_type = PROCESS_OPEN

False Positives

EDR and endpoint security agents deployed outside C:\Windows\ that require PROCESS_ALL_ACCESS (0x1FFFFF) to enumerate and scan memory regions of svchost.exe, dllhost.exe, and conhost.exe for malicious code patterns
Managed service provider RMM tools that use PowerShell or scripting hosts to open elevated handles to Windows host processes for health monitoring, remote remediation, or configuration management tasks
Authorized red team and penetration testing frameworks operating in sanctioned assessment engagements that probe process access controls against system processes to validate detection coverage

CrowdStrike LogScale (CQL)

cql

// T1055.004 APC Injection - Early Bird Process Spawn Pattern
// Detects LOLBin parents spawning canonical APC injection target processes with empty/minimal command lines
// Hallmark of Early Bird: CreateProcess(SUSPENDED) with no args -> WriteProcessMemory -> QueueUserAPC -> ResumeThread
#event_simpleName IN ("ProcessRollup2", "SyntheticProcessRollup2")
| ParentBaseFileName =~ regex("(?i)^(powershell|cmd|wscript|cscript|mshta|rundll32|regsvr32)\\.exe$")
| ImageFileName =~ regex("(?i)(svchost|rundll32|EhStorAuthn|ctfmon|conhost|dllhost)\\.exe$")
| CommandLine = /^$/ OR CommandLine = null OR CommandLine = ImageFileName
| groupBy(
    [ComputerName, ParentBaseFileName, ImageFileName],
    function=[
      count(as=SpawnCount),
      selectLast([UserName, ParentCommandLine, CommandLine, TargetProcessId_decimal, SHA256HashData])
    ]
  )
| SpawnCount > 0
| table([_time, ComputerName, UserName, ParentBaseFileName, ImageFileName, ParentCommandLine, CommandLine, TargetProcessId_decimal, SHA256HashData, SpawnCount])
| sort(field=_time, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon Sensor ProcessRollup2 telemetry CrowdStrike Falcon SyntheticProcessRollup2

Required Tables

ProcessRollup2 SyntheticProcessRollup2

False Positives

Legitimate Windows service control operations where cmd.exe or PowerShell is used to start svchost.exe-hosted services with no explicit command-line arguments, particularly during system boot or Group Policy application
Software installation and update routines that invoke scripting engines to spawn conhost.exe or rundll32.exe as subprocess helpers with no user-visible arguments during pre- or post-installation steps
Scheduled task executors using wscript.exe or cscript.exe that launch Windows host processes as part of automated maintenance workflows where command-line arguments are passed via COM rather than the process command line

Asynchronous Procedure Call

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections