Detects malicious injection behavior involving memory allocation, remote thread queuing via APC (e.g., QueueUserAPC), and altered thread context within another live process to execute unauthorized code under legitimate context.
| Data Component | Name | Channel |
|---|---|---|
| Process Access (DC0035) | WinEventLog:Sysmon | EventCode=10 |
| Process Modification (DC0020) | WinEventLog:Sysmon | EventCode=8 |
| OS API Execution (DC0021) | etw:Microsoft-Windows-Kernel-Process | APCQueueOperations |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Field | Description |
|---|---|
| APCTargetProcessList | Processes that are rarely or never valid targets for legitimate APC queuing (e.g., lsass.exe, winlogon.exe) |
| ThreadQueueDepthThreshold | The number of APCs queued within a short time window that could signal abuse |
| TimeWindow | Expected latency between memory allocation and thread execution through APC |
| UserContextSensitivity | Used to filter based on expected vs unexpected user to target process pairings |