Detect Asynchronous Procedure Call in IBM QRadar
Adversaries may inject malicious code into processes via the asynchronous procedure call (APC) queue in order to evade process-based defenses as well as possibly elevate privileges. APC injection is commonly performed by attaching malicious code to the APC Queue of a process's thread. Queued APC functions are executed when the thread enters an alterable state. A handle to an existing victim process is first created with native Windows API calls such as OpenThread. At this point QueueUserAPC can be used to invoke a function (such as LoadLibraryA pointing to a malicious DLL). A variation called Early Bird injection involves creating a suspended process in which malicious code is written and executed before the process' entry point via an APC. AtomBombing is another variation that utilizes APCs to invoke malicious code previously written to the global atom table.
MITRE ATT&CK
- Technique
- T1055 Process Injection
- Sub-technique
- T1055.004 Asynchronous Procedure Call
- Canonical reference
- https://attack.mitre.org/techniques/T1055/004/
QRadar Detection Query
SELECT
DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS "Event Time",
logsourcename(logsourceid) AS "Log Source",
devicehostname AS "Host",
username AS "User",
"SourceImage" AS "Injector",
"TargetImage" AS "Target",
"GrantedAccess" AS "Access Rights",
CASE
WHEN (LOWER("TargetImage") LIKE '%svchost.exe'
OR LOWER("TargetImage") LIKE '%rundll32.exe'
OR LOWER("TargetImage") LIKE '%ehstorauthn.exe'
OR LOWER("TargetImage") LIKE '%ctfmon.exe'
OR LOWER("TargetImage") LIKE '%conhost.exe'
OR LOWER("TargetImage") LIKE '%dllhost.exe')
AND "SourceImage" NOT LIKE 'C:\\Windows\\%'
THEN 'Critical - Likely Early Bird APC Injection'
WHEN LOWER("TargetImage") LIKE '%svchost.exe'
OR LOWER("TargetImage") LIKE '%rundll32.exe'
OR LOWER("TargetImage") LIKE '%ehstorauthn.exe'
OR LOWER("TargetImage") LIKE '%ctfmon.exe'
OR LOWER("TargetImage") LIKE '%conhost.exe'
OR LOWER("TargetImage") LIKE '%dllhost.exe'
THEN 'High - Suspicious APC Target Process'
ELSE 'Medium - Injection-Capable Cross-Process Access'
END AS "Alert Level"
FROM events
WHERE eventid = 10
AND "GrantedAccess" IN ('0x1FFFFF', '0x001F0FFF', '0x1F3FFF', '0x1410', '0x143A', '0x1F1FFF')
AND (
LOWER("SourceImage") LIKE '%\\powershell.exe'
OR LOWER("SourceImage") LIKE '%\\cmd.exe'
OR LOWER("SourceImage") LIKE '%\\wscript.exe'
OR LOWER("SourceImage") LIKE '%\\cscript.exe'
OR LOWER("SourceImage") LIKE '%\\mshta.exe'
OR LOWER("SourceImage") LIKE '%\\rundll32.exe'
OR LOWER("SourceImage") LIKE '%\\regsvr32.exe'
OR "SourceImage" NOT LIKE 'C:\\Windows\\%'
)
ORDER BY devicetime DESC
LAST 24 HOURSDetects T1055.004 APC Injection in IBM QRadar using Sysmon EventID 10 (Process Access) events. Identifies cross-process handles with APC-capable access rights opened by LOLBin processes or non-Windows binaries against Early Bird victim processes. Three-tier alert level: Critical for non-Windows source targeting canonical APC targets, High for LOLBin targeting same, Medium for other injection-capable access patterns. GrantedAccess filter covers PROCESS_ALL_ACCESS and VM write/execute combinations sufficient for QueueUserAPC and NtQueueApcThread abuse.
Data Sources
Required Tables
False Positives & Tuning
- Endpoint protection platforms installed to non-standard paths outside C:\Windows\ that require PROCESS_ALL_ACCESS to inspect memory of svchost.exe, conhost.exe, and dllhost.exe as part of their monitoring function
- Microsoft SCCM and Intune management agents that launch PowerShell or cmd.exe wrappers opening high-privilege handles to Windows service host processes during software distribution and compliance enforcement
- Performance monitoring and APM agents (Dynatrace OneAgent, AppDynamics) that attach to dllhost.exe, conhost.exe, or ctfmon.exe with elevated process access for profiling and telemetry instrumentation
Other platforms for T1055.004
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Early Bird Injection - Suspended Process Creation
Expected signal: Sysmon Event ID 1: rundll32.exe spawned by PowerShell with empty/minimal CommandLine. This alone is suspicious — rundll32.exe should always have arguments specifying the DLL and function to execute.
- Test 2QueueUserAPC API Call via PowerShell P/Invoke
Expected signal: Sysmon Event ID 1: PowerShell execution with the command line. When using the actual API chain: ETW NtQueueApcThread event, Sysmon Event ID 10 (ProcessAccess) with PROCESS_ALL_ACCESS.
- Test 3AtomBombing Variant - Global Atom Table Write
Expected signal: Sysmon Event ID 1: PowerShell execution. ETW: GlobalAddAtomW API call logged. In a full AtomBombing attack, this would be followed by NtQueueApcThread to copy atom data into the target process.
References (6)
- https://attack.mitre.org/techniques/T1055/004/
- https://msdn.microsoft.com/library/windows/desktop/ms681951.aspx
- https://www.cyberbit.com/blog/endpoint-security/new-early-bird-code-injection-technique-discovered/
- https://blog.ensilo.com/atombombing-brand-new-code-injection-for-windows
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md
- https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
Unlock Pro Content
Get the full detection package for T1055.004 including response playbook, investigation guide, and atomic red team tests.