inject APC

edit on GitHub
search on VirusTotal
rule:
  meta:
    name: inject APC
    namespace: host-interaction/process/inject
    authors:
      - william.ballenthin@mandiant.com
    scopes:
      static: function
      dynamic: thread
    att&ck:
      - Defense Evasion::Process Injection::Asynchronous Procedure Call [T1055.004]
    examples:
      - al-khaser_x64.exe_:0x140019348
  features:
    - and:
      - or:
        - match: write process memory
        - match: create or open section object
        - api: kernel32.MapViewOfFile
      - or:
        - api: kernel32.QueueUserAPC
        - api: ntdll.NtQueueApcThread
      - optional:
        - or:
          - number: 0x1fffff = THREAD_ALL_ACCESS
          - api: kernel32.CreateProcess
          - api: kernel32.OpenProcess
last edited: 2023-11-24 10:34:28