T1055.004 Elastic Security · Elastic

Detect Asynchronous Procedure Call in Elastic Security

Adversaries may inject malicious code into processes via the asynchronous procedure call (APC) queue in order to evade process-based defenses as well as possibly elevate privileges. APC injection is commonly performed by attaching malicious code to the APC Queue of a process's thread. Queued APC functions are executed when the thread enters an alterable state. A handle to an existing victim process is first created with native Windows API calls such as OpenThread. At this point QueueUserAPC can be used to invoke a function (such as LoadLibraryA pointing to a malicious DLL). A variation called Early Bird injection involves creating a suspended process in which malicious code is written and executed before the process' entry point via an APC. AtomBombing is another variation that utilizes APCs to invoke malicious code previously written to the global atom table.

MITRE ATT&CK

Tactic
Defense Evasion Privilege Escalation
Technique
T1055 Process Injection
Sub-technique
T1055.004 Asynchronous Procedure Call
Canonical reference
https://attack.mitre.org/techniques/T1055/004/

Elastic Detection Query

Elastic Security (Elastic)
eql 
process where event.action == "process_accessed" and
  winlog.event_id == 10 and
  winlog.event_data.GrantedAccess in ("0x1FFFFF", "0x001F0FFF", "0x1F3FFF", "0x1410", "0x143A", "0x1F1FFF") and
  (
    winlog.event_data.SourceImage like~ ("*\\powershell.exe", "*\\cmd.exe", "*\\wscript.exe",
      "*\\cscript.exe", "*\\mshta.exe", "*\\rundll32.exe", "*\\regsvr32.exe") or
    not winlog.event_data.SourceImage like "C:\\Windows\\*"
  ) and
  winlog.event_data.TargetImage like~ ("*\\svchost.exe", "*\\rundll32.exe", "*\\EhStorAuthn.exe",
    "*\\ctfmon.exe", "*\\conhost.exe", "*\\dllhost.exe")
high severity high confidence

Detects T1055.004 APC Injection via Sysmon Event ID 10 (Process Access) by identifying cross-process handles opened with injection-capable access rights (PROCESS_ALL_ACCESS 0x1FFFFF, PROCESS_VM_WRITE+PROCESS_VM_OPERATION+PROCESS_CREATE_THREAD combinations including 0x001F0FFF, 0x1F3FFF, 0x1410, 0x143A, 0x1F1FFF) from known LOLBin parents or non-Windows source paths targeting common Early Bird APC victim processes. Covers QueueUserAPC, NtQueueApcThread, and AtomBombing delivery patterns.

Data Sources

Microsoft-Windows-Sysmon/OperationalElastic Endpoint Securitywinlogbeat

Required Tables

logs-endpoint.events.process-*winlogbeat-*.ds-logs-windows.sysmon_operational-*

False Positives & Tuning

  • Legitimate EDR and AV agents (CrowdStrike Falcon, SentinelOne, Carbon Black) that open PROCESS_ALL_ACCESS handles to svchost.exe, conhost.exe, and dllhost.exe for in-memory scanning and behavioral monitoring
  • Sysinternals tools (Process Explorer, ProcMon) and administrative debuggers (WinDbg, x64dbg) opened by administrators that request high-privilege cross-process access for legitimate system inspection
  • Software deployment tools (SCCM, Tanium, Ansible) invoked via PowerShell or cmd.exe that perform in-memory operations against services hosted within svchost.exe during patch and policy enforcement cycles
Download portable Sigma rule (.yml)

Other platforms for T1055.004

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Early Bird Injection - Suspended Process Creation

    Expected signal: Sysmon Event ID 1: rundll32.exe spawned by PowerShell with empty/minimal CommandLine. This alone is suspicious — rundll32.exe should always have arguments specifying the DLL and function to execute.

  2. Test 2QueueUserAPC API Call via PowerShell P/Invoke

    Expected signal: Sysmon Event ID 1: PowerShell execution with the command line. When using the actual API chain: ETW NtQueueApcThread event, Sysmon Event ID 10 (ProcessAccess) with PROCESS_ALL_ACCESS.

  3. Test 3AtomBombing Variant - Global Atom Table Write

    Expected signal: Sysmon Event ID 1: PowerShell execution. ETW: GlobalAddAtomW API call logged. In a full AtomBombing attack, this would be followed by NtQueueApcThread to copy atom data into the target process.

Last updated: 2026-04-17 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1055.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1055Process Injection

Related Sub-techniques

T1055.001Dynamic-link Library InjectionT1055.002Portable Executable InjectionT1055.003Thread Execution HijackingT1055.005Thread Local StorageT1055.008Ptrace System CallsT1055.009Proc MemoryT1055.011Extra Window Memory InjectionT1055.012Process HollowingT1055.013Process DoppelgangingT1055.014VDSO HijackingT1055.015ListPlanting

Related Techniques

T1055Process InjectionT1055.001Dynamic-link Library InjectionT1055.012Process HollowingT1055.003Thread Execution HijackingT1218.011Rundll32

Same Tactic: Defense Evasion

Popular Detections