Query Details

Rule : Detection of QueueUserAPC Remote API Call

Queue User Apc Remote Api Call Detection Rule

Query

DeviceEvents
| where ActionType == "QueueUserApcRemoteApiCall"
| where InitiatingProcessCommandLine != "svchost.exe -k netsvcs -p -s ShellHWDetection"
| where InitiatingProcessVersionInfoProductName != "Microsoft Edge Installer"
| where ProcessCommandLine != "svchost.exe -k netsvcs -p -s Winmgmt"

About this query

Explanation

This query is designed to detect suspicious usage of the QueueUserAPC function, which can be exploited for malicious purposes such as process injection. Here's a simplified summary:

  1. Purpose: To identify potentially malicious use of the QueueUserAPC function, which can be used to execute code in the context of another process, a technique known as Asynchronous Procedure Call (APC) Injection.

  2. Detection Criteria:

    • The query looks at DeviceEvents where the ActionType is "QueueUserApcRemoteApiCall".
    • It excludes events where the initiating process command line is "svchost.exe -k netsvcs -p -s ShellHWDetection".
    • It also excludes events where the initiating process is the "Microsoft Edge Installer".
    • Additionally, it excludes events where the process command line is "svchost.exe -k netsvcs -p -s Winmgmt".
  3. Tags: The query is associated with process injection, APC injection, remote API calls, and is linked to the MITRE ATT&CK technique T1055.004.

  4. Query:

    DeviceEvents
    | where ActionType == "QueueUserApcRemoteApiCall"
    | where InitiatingProcessCommandLine != "svchost.exe -k netsvcs -p -s ShellHWDetection"
    | where InitiatingProcessVersionInfoProductName != "Microsoft Edge Installer"
    | where ProcessCommandLine != "svchost.exe -k netsvcs -p -s Winmgmt"
    

In essence, this query helps in identifying unusual and potentially harmful uses of the QueueUserAPC function by filtering out known legitimate uses, thereby providing an early warning for possible malicious activities.

Details

Ali Hussein profile picture

Ali Hussein

Released: July 21, 2024

Tables

DeviceEvents

Keywords

DeviceEventsProcessInjectionAPCQueueUserAPCRemoteAPICallSuspiciousActivityMITREATTCK

Operators

==!=| where

MITRE Techniques

Actions

GitHub