Esc

Asynchronous Procedure Call - T1055.004

(ATT&CK® Technique)

Definition

Adversaries may inject malicious code into processes via the asynchronous procedure call (APC) queue in order to evade process-based defenses as well as possibly elevate privileges. APC injection is a method of executing arbitrary code in the address space of a separate live process.

D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.

        graph LR;

     T1055004["Asynchronous Procedure Call"] --> |may-invoke| CreateProcess["Create Process"]; class T1055004 OffensiveTechniqueNode;
        class CreateProcess ArtifactNode; click CreateProcess href "/dao/artifact/d3f:CreateProcess";
        click T1055004 href "/offensive-technique/attack/T1055.004/"; click CreateProcess href "/dao/artifact/d3f:CreateProcess";             ExecutableAllowlisting["Executable Allowlisting"] -->
          | restricts | CreateProcess["Create Process"];

          ExecutableAllowlisting["Executable Allowlisting"] -.->
            | May Isolate | T1055004["Asynchronous Procedure Call"] ;
          class ExecutableAllowlisting DefensiveTechniqueNode;
          class CreateProcess ArtifactNode;
          click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; ExecutableDenylisting["Executable Denylisting"] -->
          | restricts | CreateProcess["Create Process"];

          ExecutableDenylisting["Executable Denylisting"] -.->
            | May Isolate | T1055004["Asynchronous Procedure Call"] ;
          class ExecutableDenylisting DefensiveTechniqueNode;
          class CreateProcess ArtifactNode;
          click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -->
          | restricts | CreateProcess["Create Process"];

          Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -.->
            | May Isolate | T1055004["Asynchronous Procedure Call"] ;
          class Hardware-basedProcessIsolation DefensiveTechniqueNode;
          class CreateProcess ArtifactNode;
          click Hardware-basedProcessIsolation href "/technique/d3f:Hardware-basedProcessIsolation"; MandatoryAccessControl["Mandatory Access Control"] -->
          | restricts | CreateProcess["Create Process"];

          MandatoryAccessControl["Mandatory Access Control"] -.->
            | May Isolate | T1055004["Asynchronous Procedure Call"] ;
          class MandatoryAccessControl DefensiveTechniqueNode;
          class CreateProcess ArtifactNode;
          click MandatoryAccessControl href "/technique/d3f:MandatoryAccessControl";                                                     ProcessSpawnAnalysis["Process Spawn Analysis"] -->
          | analyzes | CreateProcess["Create Process"];

          ProcessSpawnAnalysis["Process Spawn Analysis"] -.->
            | May Detect | T1055004["Asynchronous Procedure Call"] ;
          class ProcessSpawnAnalysis DefensiveTechniqueNode;
          class CreateProcess ArtifactNode;
          click ProcessSpawnAnalysis href "/technique/d3f:ProcessSpawnAnalysis"; SystemCallAnalysis["System Call Analysis"] -->
          | analyzes | CreateProcess["Create Process"];

          SystemCallAnalysis["System Call Analysis"] -.->
            | May Detect | T1055004["Asynchronous Procedure Call"] ;
          class SystemCallAnalysis DefensiveTechniqueNode;
          class CreateProcess ArtifactNode;
          click SystemCallAnalysis href "/technique/d3f:SystemCallAnalysis";                           SystemCallFiltering["System Call Filtering"] -->
          | filters | CreateProcess["Create Process"];

          SystemCallFiltering["System Call Filtering"] -.->
            | May Isolate | T1055004["Asynchronous Procedure Call"] ;
          class SystemCallFiltering DefensiveTechniqueNode;
          class CreateProcess ArtifactNode;
          click SystemCallFiltering href "/technique/d3f:SystemCallFiltering";

json