Process Injection: Asynchronous Procedure Call
Process Write ProcessSegment — Write shellcode into a target process's address space and execute it by queueing an Asynchronous Procedure Call to an alertable thread via QueueUserAPC.
Detect
api.name is not OCSF native. Kernel-mode APC telemetry (ETW Microsoft-Windows-Kernel-Process) is required; user-mode QueueUserAPC events are not surfaced by Sysmon. STP 3 until the OCSF api.name extension is available and kernel telemetry sources implement it.
APC injection to a running thread does not spawn a visible thread. Gate on kernel-mode APC queue events where source and target PIDs differ, filtered to suspicious process relationships. This variant is harder to detect than CreateRemoteThread (T1055.001) with standard Sysmon telemetry.
Mitigate
ACG/CIG operate at the kernel level against the ProcessSegment write — they cannot be bypassed by switching injection primitive.
Enable ACG and Code Integrity Guard (CIG). These controls are technique-level — they apply to all T1055 sub-techniques regardless of injection primitive.
Respond
The target process now executes attacker-controlled code. Kill the injector process and the compromised target immediately. Investigate all files, network connections, and child processes they spawned.
actor.processapiprocessd3f:ProcessTerminationd3f:NetworkIsolationOCSF event model▼
Event class: Process Activity (1007)
· activity_id: Inject
%%{init: {"theme": "dark", "themeVariables": {"edgeLabelBackground": "#18181b", "lineColor": "#52525b"}}}%%
graph TD
classDef attacker fill:#7c2d12,stroke:#ea580c,color:#fed7aa
classDef victim fill:#1e3a5f,stroke:#3b82f6,color:#bfdbfe
classDef postSuccess fill:#78350f,stroke:#d97706,color:#fde68a
classDef tainted fill:#18181b,stroke:#52525b,color:#a1a1aa
EVENT(["Process Activity\n· Inject"])
actor_process["Injector Process\nactor.process\nd3f:Process"]:::attacker
target_process["Target Process\nprocess\nd3f:Process"]:::postSuccess
injection_api["Injection Primitive\napi\nd3f:SystemCall"]:::attacker
device["Host\ndevice\nd3f:Host\n⚠ tainted"]:::tainted
EVENT --> actor_process
EVENT --> target_process
EVENT --> injection_api
EVENT --> device
actor_process -.->|"injects into"| target_processactor.process·d3f:Processactor.process.file.path | attacker_controlled | Injector binary path — attacker-chosen, easily changed |
d3f:ProcessTerminationprocess·d3f:Processprocess.pid | variable | Target process identifier — OS-assigned, varies per execution |
d3f:ProcessTerminationapi·d3f:SystemCallapi.name | invariant | = QueueUserAPC |
device·d3f:Hostd3f:NetworkIsolationDefinitional Sigma rule▼
Broad by design — defines the technique, not an operational alert. Gate on variable or attacker-controlled field conditions to narrow for production use.
title: Process Injection: Asynchronous Procedure Call (T1055.004)
status: experimental
description: >
Definitional rule — broad by design. Defines the technique independent of
medium, tool, or attacker-controlled variables. Narrow with variable and
attacker-controlled field conditions for operational use.
logsource:
product: ocsf
category: Process Activity (1007)
detection:
selection:
activity_id: 'Inject'
api.name: 'QueueUserAPC'
condition: selection