Rule : Detection of QueueUserAPC Remote API Call
Queue User Apc Remote Api Call Detection Rule
Query
DeviceEvents
| where ActionType == "QueueUserApcRemoteApiCall"
| where InitiatingProcessCommandLine != "svchost.exe -k netsvcs -p -s ShellHWDetection"
| where InitiatingProcessVersionInfoProductName != "Microsoft Edge Installer"
| where ProcessCommandLine != "svchost.exe -k netsvcs -p -s Winmgmt"About this query
Explanation
This query is designed to detect suspicious usage of the QueueUserAPC function, which can be exploited for malicious purposes such as process injection. Here's a simplified summary:
-
Purpose: To identify potentially malicious use of the
QueueUserAPCfunction, which can be used to execute code in the context of another process, a technique known as Asynchronous Procedure Call (APC) Injection. -
Detection Criteria:
- The query looks at
DeviceEventswhere theActionTypeis "QueueUserApcRemoteApiCall". - It excludes events where the initiating process command line is
"svchost.exe -k netsvcs -p -s ShellHWDetection". - It also excludes events where the initiating process is the "Microsoft Edge Installer".
- Additionally, it excludes events where the process command line is
"svchost.exe -k netsvcs -p -s Winmgmt".
- The query looks at
-
Tags: The query is associated with process injection, APC injection, remote API calls, and is linked to the MITRE ATT&CK technique T1055.004.
-
Query:
DeviceEvents | where ActionType == "QueueUserApcRemoteApiCall" | where InitiatingProcessCommandLine != "svchost.exe -k netsvcs -p -s ShellHWDetection" | where InitiatingProcessVersionInfoProductName != "Microsoft Edge Installer" | where ProcessCommandLine != "svchost.exe -k netsvcs -p -s Winmgmt"
In essence, this query helps in identifying unusual and potentially harmful uses of the QueueUserAPC function by filtering out known legitimate uses, thereby providing an early warning for possible malicious activities.
