This note documents detection patterns related to APC Injection within Windows environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Sysmon | 8 | CreateRemoteThread | High | Sometimes adjacent to APC staging. |
| Sysmon | 10 | Process access | Critical | Handle access before APC queueing. |
| Sysmon | 1 | Process creation | Critical | Loader process lineage. |
| Security | 4688 | Process creation | Critical | Parent-child context. |
| Sysmon | 7 | Image loaded | Medium | Loader DLL context. |
| Sysmon | 11 | File create | Medium | Loader staging artifact. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Process access + no remote thread but payload runs | APC suspicion | Critical | Common APC clue. |
| Suspicious target process wakes later | Delayed execution | Critical | APC hallmark. |
| QueueUserAPC usage in loader | Direct indicator | Critical | High-confidence signal. |
| explorer/svchost targeted | Common APC targets | High | Valuable clue. |
| Loader exits after queue | Stager behavior | High | Common operator pattern. |
| Payload begins on alertable thread | APC execution context | High | Memory clue |
Common Tools
| Tool | Usage |
|---|---|
| Cobalt Strike | APC injection |
| custom loaders | QueueUserAPC |
| Metasploit | APC-based injection |
| PowerShell loaders | APC shellcode staging |
Relevant Artifacts
- Sysmon Event IDs 8, 10, 1, 7, 11
- Security Event ID 4688
- API focus:
QueueUserAPCNtQueueApcThread
- Process memory regions
- EDR thread telemetry
MITRE ATT&CK References
- T1055.004 Asynchronous Procedure Call
Decision Tree
-
Which loader?
- shell
- DLL
- implant
-
Which target process?
- explorer
- svchost
- browser
-
Process access first?
- Yes
-
Delayed execution?
- Immediate
- Later thread wake
-
Expand:
- Reflective load
- Thread hijack
- Beacon
-
Scope:
- Single target
- Multiple APC queues
- Framework pattern
Example Detection Templates
KQL
Sysmon
| where EventID == 10
| project TimeGenerated, Computer, SourceImage, TargetImage, GrantedAccess
EQL
sequence by host.name with maxspan=5m
[ process where true ]
[ process where event.code == "10" ]
Sigma
title: APC Injection Detection
id: 7c3e5a14-apc-injection
status: experimental
description: Detects suspicious APC injection precursors
references:
- https://attack.mitre.org/
author: Vergil
date: 2026-03-07
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 10
condition: selection
fields:
- SourceImage
- TargetImage
falsepositives:
- Security software
level: high
tags:
- attack.defense_evasion
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Monitor process access | Core APC precursor | Critical | Strong signal |
| EDR thread telemetry | Detect APC queueing | Critical | Best coverage |
| Watch delayed target execution | APC clue | High | Valuable enrichment |
| Correlate with loader lineage | High-confidence chain | Critical | Strong triage |
| Preserve memory evidence | Essential | High | DFIR critical |