Description
Adversaries may inject malicious code into processes via the asynchronous procedure call (APC) queue in order to evade process-based defenses as well as possibly elevate privileges. APC injection is a method of executing arbitrary code in the address space of a separate live process.
APC injection is commonly performed by attaching malicious code to the APC Queue (Citation: Microsoft APC) of a process's thread. Queued APC functions are executed when the thread enters an alterable state.(Citation: Microsoft APC) A handle to an existing victim process is first created with native Windows API calls such as OpenThread. At this point QueueUserAPC can be used to invoke a function (such as LoadLibrayA pointing to a malicious DLL).
A variation of APC injection, dubbed "Early Bird injection", involves creating a suspended process in which malicious code can be written and executed before the process' entry point (and potentially subsequent anti-malware hooks) via an APC. (Citation: CyberBit Early Bird Apr 2018) AtomBombing (Citation: ENSIL AtomBombing Oct 2016) is another variation that utilizes APCs to invoke malicious code previously written to the global atom table.(Citation: Microsoft Atom Table)
Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via APC injection may also evade detection from security products since the execution is masked under a legitimate process.
Platforms
Mitigations (1)
Behavior Prevention on EndpointM1040
Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process.
Threat Groups (1)
| ID | Group | Context |
|---|---|---|
| G0061 | FIN8 | [FIN8](https://attack.mitre.org/groups/G0061) has injected malicious code into a new svchost.exe process.(Citation: Bitdefender FIN8 July 2021) |
Associated Software (12)
| ID | Name | Type | Context |
|---|---|---|---|
| S0199 | TURNEDUP | Malware | [TURNEDUP](https://attack.mitre.org/software/S0199) is capable of injecting code into the APC queue of a created [Rundll32](https://attack.mitre.org/t... |
| S9018 | HeartCrypt | Malware | [HeartCrypt](https://attack.mitre.org/software/S9018) has the ability to use `NtQueueApcThread` as an alternate method for process injection.(Citation... |
| S0517 | Pillowmint | Malware | [Pillowmint](https://attack.mitre.org/software/S0517) has used the NtQueueApcThread syscall to inject code into svchost.exe.(Citation: Trustwave Pillo... |
| S0260 | InvisiMole | Malware | [InvisiMole](https://attack.mitre.org/software/S0260) can inject its code into a trusted process via the APC queue.(Citation: ESET InvisiMole June 202... |
| S1039 | Bumblebee | Malware | [Bumblebee](https://attack.mitre.org/software/S1039) can use asynchronous procedure call (APC) injection to execute commands received from C2.(Citatio... |
| S1018 | Saint Bot | Malware | [Saint Bot](https://attack.mitre.org/software/S1018) has written its payload into a newly-created `EhStorAuthn.exe` process using `ZwWriteVirtualMemor... |
| S0484 | Carberp | Malware | [Carberp](https://attack.mitre.org/software/S0484) has queued an APC routine to explorer.exe by calling ZwQueueApcThread.(Citation: Prevx Carberp Marc... |
| S0483 | IcedID | Malware | [IcedID](https://attack.mitre.org/software/S0483) has used <code>ZwQueueApcThread</code> to inject itself into remote processes.(Citation: IBM IcedID ... |
| S1207 | XLoader | Malware | [XLoader](https://attack.mitre.org/software/S1207) injects code into the APC queue using `NtQueueApcThread` API.(Citation: Zscaler XLoader 2025) |
| S1081 | BADHATCH | Malware | [BADHATCH](https://attack.mitre.org/software/S1081) can inject itself into a new `svchost.exe -k netsvcs` process using the asynchronous procedure cal... |
| S0438 | Attor | Malware | [Attor](https://attack.mitre.org/software/S0438) performs the injection by attaching its code into the APC queue using NtQueueApcThread API.(Citation:... |
| S1085 | Sardonic | Malware | [Sardonic](https://attack.mitre.org/software/S1085) can use the `QueueUserAPC` API to execute shellcode on a compromised machine.(Citation: Symantec F... |
Related CWE Weaknesses
References
- Gavriel, H. & Erbesfeld, B. (2018, April 11). New ‘Early Bird’ Code Injection Technique Discovered. Retrieved May 24, 2018.
- Liberman, T. (2016, October 27). ATOMBOMBING: BRAND NEW CODE INJECTION FOR WINDOWS. Retrieved December 8, 2017.
- Microsoft. (n.d.). About Atom Tables. Retrieved December 8, 2017.
- Microsoft. (n.d.). Asynchronous Procedure Calls. Retrieved December 8, 2017.
Frequently Asked Questions
What is T1055.004 (Asynchronous Procedure Call)?
T1055.004 is a MITRE ATT&CK technique named 'Asynchronous Procedure Call'. It belongs to the Stealth, Privilege Escalation tactic(s). Adversaries may inject malicious code into processes via the asynchronous procedure call (APC) queue in order to evade process-based defenses as well as possibly elevate privileges. APC injection is a...
How can T1055.004 be detected?
Detection of T1055.004 (Asynchronous Procedure Call) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1055.004?
There are 1 documented mitigations for T1055.004. Key mitigations include: Behavior Prevention on Endpoint.
Which threat groups use T1055.004?
Known threat groups using T1055.004 include: FIN8.