title: Asynchronous Procedure Call (T1055.004)
id: df00tech-t1055-004
status: experimental
description: "Adversaries may inject malicious code into processes via the asynchronous procedure call (APC) queue in order to evade process-based defenses as well as possibly elevate privileges. APC injection is commonly performed by attaching malicious code to the APC Queue of a process's thread. Queued APC functions are executed when the thread enters an alterable state. A handle to an existing victim process is first created with native Windows API calls such as OpenThread. At this point QueueUserAPC can be used to invoke a function (such as LoadLibraryA pointing to a malicious DLL). A variation called Early Bird injection involves creating a suspended process in which malicious code is written and executed before the process' entry point via an APC. AtomBombing is another variation that utilizes APCs to invoke malicious code previously written to the global atom table."
references:
  - https://attack.mitre.org/techniques/T1055/004/
  - https://df00tech.com/detections/T1055.004
author: df00tech
date: 2026/04/17
tags:
  - attack.t1055.004
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate COM object activation spawning dllhost.exe with minimal command lines
  - Service Control Manager spawning svchost.exe instances
  - Windows Update creating suspended processes for staged updates
  - Application installers spawning helper processes in suspended state for configuration
level: critical