Detect Asynchronous Procedure Call in CrowdStrike LogScale
Adversaries may inject malicious code into processes via the asynchronous procedure call (APC) queue in order to evade process-based defenses as well as possibly elevate privileges. APC injection is commonly performed by attaching malicious code to the APC Queue of a process's thread. Queued APC functions are executed when the thread enters an alterable state. A handle to an existing victim process is first created with native Windows API calls such as OpenThread. At this point QueueUserAPC can be used to invoke a function (such as LoadLibraryA pointing to a malicious DLL). A variation called Early Bird injection involves creating a suspended process in which malicious code is written and executed before the process' entry point via an APC. AtomBombing is another variation that utilizes APCs to invoke malicious code previously written to the global atom table.
MITRE ATT&CK
- Technique
- T1055 Process Injection
- Sub-technique
- T1055.004 Asynchronous Procedure Call
- Canonical reference
- https://attack.mitre.org/techniques/T1055/004/
LogScale Detection Query
// T1055.004 APC Injection - Early Bird Process Spawn Pattern
// Detects LOLBin parents spawning canonical APC injection target processes with empty/minimal command lines
// Hallmark of Early Bird: CreateProcess(SUSPENDED) with no args -> WriteProcessMemory -> QueueUserAPC -> ResumeThread
#event_simpleName IN ("ProcessRollup2", "SyntheticProcessRollup2")
| ParentBaseFileName =~ regex("(?i)^(powershell|cmd|wscript|cscript|mshta|rundll32|regsvr32)\\.exe$")
| ImageFileName =~ regex("(?i)(svchost|rundll32|EhStorAuthn|ctfmon|conhost|dllhost)\\.exe$")
| CommandLine = /^$/ OR CommandLine = null OR CommandLine = ImageFileName
| groupBy(
[ComputerName, ParentBaseFileName, ImageFileName],
function=[
count(as=SpawnCount),
selectLast([UserName, ParentCommandLine, CommandLine, TargetProcessId_decimal, SHA256HashData])
]
)
| SpawnCount > 0
| table([_time, ComputerName, UserName, ParentBaseFileName, ImageFileName, ParentCommandLine, CommandLine, TargetProcessId_decimal, SHA256HashData, SpawnCount])
| sort(field=_time, order=desc)CrowdStrike LogScale (Falcon) query detecting T1055.004 APC Injection via the Early Bird process spawn pattern. Identifies LOLBin parent processes (PowerShell, cmd, wscript, cscript, mshta, rundll32, regsvr32) creating known Early Bird victim processes (svchost, dllhost, ctfmon, conhost, EhStorAuthn, rundll32) with empty or process-name-only command lines — the signature of Early Bird where a suspended hollow process is created before its entry point executes, injected via QueueUserAPC, and resumed. Groups by host and parent/child process pair to surface repeated or patterned injection attempts. Note: for direct process access events, supplement with Falcon's InjectedThread or InjectedDll event types if available in your sensor policy.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate Windows service control operations where cmd.exe or PowerShell is used to start svchost.exe-hosted services with no explicit command-line arguments, particularly during system boot or Group Policy application
- Software installation and update routines that invoke scripting engines to spawn conhost.exe or rundll32.exe as subprocess helpers with no user-visible arguments during pre- or post-installation steps
- Scheduled task executors using wscript.exe or cscript.exe that launch Windows host processes as part of automated maintenance workflows where command-line arguments are passed via COM rather than the process command line
Other platforms for T1055.004
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Early Bird Injection - Suspended Process Creation
Expected signal: Sysmon Event ID 1: rundll32.exe spawned by PowerShell with empty/minimal CommandLine. This alone is suspicious — rundll32.exe should always have arguments specifying the DLL and function to execute.
- Test 2QueueUserAPC API Call via PowerShell P/Invoke
Expected signal: Sysmon Event ID 1: PowerShell execution with the command line. When using the actual API chain: ETW NtQueueApcThread event, Sysmon Event ID 10 (ProcessAccess) with PROCESS_ALL_ACCESS.
- Test 3AtomBombing Variant - Global Atom Table Write
Expected signal: Sysmon Event ID 1: PowerShell execution. ETW: GlobalAddAtomW API call logged. In a full AtomBombing attack, this would be followed by NtQueueApcThread to copy atom data into the target process.
References (6)
- https://attack.mitre.org/techniques/T1055/004/
- https://msdn.microsoft.com/library/windows/desktop/ms681951.aspx
- https://www.cyberbit.com/blog/endpoint-security/new-early-bird-code-injection-technique-discovered/
- https://blog.ensilo.com/atombombing-brand-new-code-injection-for-windows
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md
- https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
Unlock Pro Content
Get the full detection package for T1055.004 including response playbook, investigation guide, and atomic red team tests.