DET0100 Behavioral Detection of Asynchronous Procedure Call (APC) Injection via Remote Thread Queuing

Item	Value
ID	DET0100
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1055.004 (Asynchronous Procedure Call)

Analytics

Windows

AN0277

Detects malicious injection behavior involving memory allocation, remote thread queuing via APC (e.g., QueueUserAPC), and altered thread context within another live process to execute unauthorized code under legitimate context.

Log Sources

Data Component	Name	Channel
Process Access (DC0035)	WinEventLog:Sysmon	EventCode=10
Process Modification (DC0020)	WinEventLog:Sysmon	EventCode=8
OS API Execution (DC0021)	etw:Microsoft-Windows-Kernel-Process	APCQueueOperations
Process Creation (DC0032)	WinEventLog:Sysmon	EventCode=1

Mutable Elements

Field	Description
APCTargetProcessList	Processes that are rarely or never valid targets for legitimate APC queuing (e.g., lsass.exe, winlogon.exe)
ThreadQueueDepthThreshold	The number of APCs queued within a short time window that could signal abuse
TimeWindow	Expected latency between memory allocation and thread execution through APC
UserContextSensitivity	Used to filter based on expected vs unexpected user to target process pairings