Skip to content

Latest commit

 

History

History
93 lines (60 loc) · 3.27 KB

T1055.002-WIN-002.md

File metadata and controls

93 lines (60 loc) · 3.27 KB
Raw

Note: You are viewing an old, archived version of this content. The latest version is available in the 'main' branch.

Process_injection_via_QueueUserApcRemoteApiCall_by_rare_or_unsigned_processes

Metadata

ID: Process_injection_via_QueueUserApcRemoteApiCall_by_rare_or_unsigned_processes

OS: WindowsEndpoint, WindowsServer

FP Rate: Low

Author: FalconForce

License: BSD 3-Clause License

References: Link to medium post

ATT&CK Tags

Tactics: TA0004 - Privilege Escalation

Technique Subtechnique Technique Name
T1055 002 Process Injection - Portable Executable Injection

Utilized Data Sources

Log Provider Event ID Event Name ATT&CK Data Source
MDE DeviceEvents

Technical description of the attack

​The query searches for unsigned processes with a low GlobalPrevalence that inject into other processes. This technique is commonly used by multiple attacker toolkits.

Permission required to execute the technique

User

Detection description

This rule detects the use of the QueueUserApcRemoteApiCall API call that is registered by MDE. The is a legitimate use for this, however when executed by a rare binary which is unsigned as well should be very uncommon.

Considerations

Processes can be injected into in various different ways, this detection only focusses on the variant utilizing the QueueUserApcRemoteApiCall API call.

False Positives

None expected.

Suggested Response Actions

The process injection coming coming from the following sources will not be detected:

  • A DLL started by Rundll32.
  • A DLL which is hijacked, running inside a trusted process.
  • A COM object which lives inside a trusted process, such as dllhost.exe.
  • Using AppInit_DLL to load your malicious DLL inside a trusted process.
  • Use shims to load your malicious DLL inside a trusted process.

Detection Blind Spots

When the GlobalPrevalence of the used tool is too high this detection will not pick it up, the same is true for software signed with a validiated certificate. Additionally, when an attacker injects into a valid signed and common process through another method they will hide in the common signals.

References

Detection

Language: Kusto

Platform: M365 Security

Query:

let timeframe = (24h);
let QueueUserApcRemote = DeviceEvents
| where Timestamp > ago(timeframe)
| where ActionType == "QueueUserApcRemoteApiCall"
| distinct InitiatingProcessSHA1
| invoke FileProfile(InitiatingProcessSHA1, 1000)
| where GlobalPrevalence < 1000 or isempty(GlobalPrevalence) or SoftwareName startswith "Microsoft Office";
DeviceEvents
| where Timestamp > ago(timeframe)
| where InitiatingProcessSHA1 in~ ((QueueUserApcRemote | project InitiatingProcessSHA1))
| join kind=leftouter QueueUserApcRemote on InitiatingProcessSHA1
// Customer tuning