From 3dbd8312d84afd71cc19168a8302988a6f22d3fa Mon Sep 17 00:00:00 2001 From: kevross33 Date: Sat, 28 Feb 2026 17:10:16 +0000 Subject: [PATCH 1/2] Add Queue APC injection signature --- .../signatures/windows/injection_thread.py | 41 +++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/modules/signatures/windows/injection_thread.py b/modules/signatures/windows/injection_thread.py index 0800022c..0925ea31 100644 --- a/modules/signatures/windows/injection_thread.py +++ b/modules/signatures/windows/injection_thread.py @@ -54,3 +54,44 @@ def on_call(self, call, process): def on_complete(self): return self.ret + + +class ApcInjection(Signature): + name = "apc_injection" + description = "Queues an Asynchronous Procedure Call (APC) to a thread, indicative of injection" + severity = 3 + confidence = 80 + categories = ["injection", "evasion"] + authors = ["Kevin Ross"] + minimum = "1.3" + evented = True + ttps = ["T1055", "T1055.004"] + mbcs = ["E1055", "E1055.004"] + + filter_apinames = {"NtQueueApcThread", "QueueUserAPC"} + + def __init__(self, *args, **kwargs): + Signature.__init__(self, *args, **kwargs) + self.ret = False + self.apc_targets = set() + + def on_call(self, call, process): + if call["api"] == "NtQueueApcThread": + target_thread = self.get_argument(call, "ThreadId") + apc_routine = self.get_argument(call, "ApcRoutine") + else: + target_thread = self.get_argument(call, "ThreadHandle") + apc_routine = self.get_argument(call, "pfnAPC") + + if target_thread and apc_routine: + pid = process.get("process_id") + targetpid = self.get_argument(call, "ProcessId") + + if str(apc_routine) != "0x00000000" and pid != targetpid: + if target_thread not in self.apc_targets: + self.apc_targets.add(target_thread) + self.mark_call() + self.ret = True + + def on_complete(self): + return self.ret From 3cd14a9e77cad325cac092ac6f9ac5c163074057 Mon Sep 17 00:00:00 2001 From: kevross33 Date: Mon, 2 Mar 2026 23:11:53 +0000 Subject: [PATCH 2/2] Update injection_thread.py --- modules/signatures/windows/injection_thread.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/signatures/windows/injection_thread.py b/modules/signatures/windows/injection_thread.py index 0925ea31..8a4cf69e 100644 --- a/modules/signatures/windows/injection_thread.py +++ b/modules/signatures/windows/injection_thread.py @@ -87,7 +87,7 @@ def on_call(self, call, process): pid = process.get("process_id") targetpid = self.get_argument(call, "ProcessId") - if str(apc_routine) != "0x00000000" and pid != targetpid: + if str(apc_routine) != "0x00000000" and str(pid) != str(targetpid): if target_thread not in self.apc_targets: self.apc_targets.add(target_thread) self.mark_call()