KQL Search

Query Details

HomeAI ToolsDevice Query

Queue User Apc Remote Api Call Detection Rule

Query

# Rule : Detection of QueueUserAPC Remote API Call

## Description
This detection rule identifies suspicious usage of the `QueueUserAPC` function for remote API calls. The `QueueUserAPC` function allows a program to specify a function to be called asynchronously in the context of a specified thread. While this is a legitimate function used by many applications, it can be exploited by malicious actors to execute arbitrary code in the context of another process, facilitating process injection and potentially leading to unauthorized actions or evasion of security controls. According to the MITRE ATT&CK framework, this technique is categorized under "Process Injection: Asynchronous Procedure Call (APC) Injection" (T1055.004).

This rule helps detect and audit suspicious usage of `QueueUserAPC`, providing an early warning for potential malicious activities involving process injection.

- [MITRE ATT&CK: Asynchronous Procedure Call (APC) Injection](https://attack.mitre.org/techniques/T1055/004/)

## Detection Logic
- Monitors `DeviceEvents` for events where:
  - The `ActionType` is "QueueUserApcRemoteApiCall".
  - The `InitiatingProcessCommandLine` is not `"svchost.exe -k netsvcs -p -s ShellHWDetection"`.
  - The `InitiatingProcessVersionInfoProductName` is not "Microsoft Edge Installer".
  - The `ProcessCommandLine` is not `"svchost.exe -k netsvcs -p -s Winmgmt"`.

## Tags
- Process Injection
- APC Injection
- QueueUserAPC
- Remote API Call
- MITRE ATT&CK T1055.004
- Suspicious Activity

## Search Query
```kql
DeviceEvents
| where ActionType == "QueueUserApcRemoteApiCall"
| where InitiatingProcessCommandLine != "svchost.exe -k netsvcs -p -s ShellHWDetection"
| where InitiatingProcessVersionInfoProductName != "Microsoft Edge Installer"
| where ProcessCommandLine != "svchost.exe -k netsvcs -p -s Winmgmt"
```

Explanation

This query is designed to detect suspicious usage of the QueueUserAPC function, which can be exploited for malicious purposes such as process injection. Here's a simplified summary:

  1. Purpose: To identify potentially malicious use of the QueueUserAPC function, which can be used to execute code in the context of another process, a technique known as Asynchronous Procedure Call (APC) Injection.

  2. Detection Criteria:

    • The query looks at DeviceEvents where the ActionType is "QueueUserApcRemoteApiCall".
    • It excludes events where the initiating process command line is "svchost.exe -k netsvcs -p -s ShellHWDetection".
    • It also excludes events where the initiating process is the "Microsoft Edge Installer".
    • Additionally, it excludes events where the process command line is "svchost.exe -k netsvcs -p -s Winmgmt".

  3. Tags: The query is associated with process injection, APC injection, remote API calls, and is linked to the MITRE ATT&CK technique T1055.004.

  4. Query:

    DeviceEvents
| where ActionType == "QueueUserApcRemoteApiCall"
| where InitiatingProcessCommandLine != "svchost.exe -k netsvcs -p -s ShellHWDetection"
| where InitiatingProcessVersionInfoProductName != "Microsoft Edge Installer"
| where ProcessCommandLine != "svchost.exe -k netsvcs -p -s Winmgmt"

In essence, this query helps in identifying unusual and potentially harmful uses of the QueueUserAPC function by filtering out known legitimate uses, thereby providing an early warning for possible malicious activities.

Details

Ali Hussein profile picture

Ali Hussein

Released: July 21, 2024

Tables

DeviceEvents

Keywords

DeviceEventsProcessInjectionAPCInjectionQueueUserAPCRemoteAPICallSuspiciousActivityMITREATTCK

Operators

==!=| where

Actions