MITRE ATT&CK Technique
Description
Adversaries may inject malicious code into processes via the asynchronous procedure call (APC) queue in order to evade process-based defenses as well as possibly elevate privileges. APC injection is a method of executing arbitrary code in the address space of a separate live process. APC injection is commonly performed by attaching malicious code to the APC Queue (Citation: Microsoft APC) of a process's thread. Queued APC functions are executed when the thread enters an alterable state.(Citation: Microsoft APC) A handle to an existing victim process is first created with native Windows API calls such as <code>OpenThread</code>. At this point <code>QueueUserAPC</code> can be used to invoke a function (such as <code>LoadLibrayA</code> pointing to a malicious DLL). A variation of APC injection, dubbed "Early Bird injection", involves creating a suspended process in which malicious code can be written and executed before the process' entry point (and potentially subsequent anti-malware hooks) via an APC. (Citation: CyberBit Early Bird Apr 2018) AtomBombing (Citation: ENSIL AtomBombing Oct 2016) is another variation that utilizes APCs to invoke malicious code previously written to the global atom table.(Citation: Microsoft Atom Table) Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via APC injection may also evade detection from security products since the execution is masked under a legitimate process.
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-01-14T01:29:43.786Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may inject malicious code into processes via the '
'asynchronous procedure call (APC) queue in order to evade '
'process-based defenses as well as possibly elevate '
'privileges. APC injection is a method of executing arbitrary '
'code in the address space of a separate live process. \n'
'\n'
'APC injection is commonly performed by attaching malicious '
'code to the APC Queue (Citation: Microsoft APC) of a '
"process's thread. Queued APC functions are executed when the "
'thread enters an alterable state.(Citation: Microsoft APC) A '
'handle to an existing victim process is first created with '
'native Windows API calls such as <code>OpenThread</code>. At '
'this point <code>QueueUserAPC</code> can be used to invoke a '
'function (such as <code>LoadLibrayA</code> pointing to a '
'malicious DLL). \n'
'\n'
'A variation of APC injection, dubbed "Early Bird injection", '
'involves creating a suspended process in which malicious code '
"can be written and executed before the process' entry point "
'(and potentially subsequent anti-malware hooks) via an APC. '
'(Citation: CyberBit Early Bird Apr 2018) AtomBombing '
'(Citation: ENSIL AtomBombing Oct 2016) is another variation '
'that utilizes APCs to invoke malicious code previously '
'written to the global atom table.(Citation: Microsoft Atom '
'Table)\n'
'\n'
'Running code in the context of another process may allow '
"access to the process's memory, system/network resources, and "
'possibly elevated privileges. Execution via APC injection may '
'also evade detection from security products since the '
'execution is masked under a legitimate process. ',
'external_references': [{'external_id': 'T1055.004',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1055/004'},
{'description': 'Microsoft. (n.d.). Asynchronous '
'Procedure Calls. Retrieved December '
'8, 2017.',
'source_name': 'Microsoft APC',
'url': 'https://msdn.microsoft.com/library/windows/desktop/ms681951.aspx'},
{'description': 'Gavriel, H. & Erbesfeld, B. (2018, '
'April 11). New ‘Early Bird’ Code '
'Injection Technique Discovered. '
'Retrieved May 24, 2018.',
'source_name': 'CyberBit Early Bird Apr 2018',
'url': 'https://www.cyberbit.com/blog/endpoint-security/new-early-bird-code-injection-technique-discovered/'},
{'description': 'Liberman, T. (2016, October 27). '
'ATOMBOMBING: BRAND NEW CODE '
'INJECTION FOR WINDOWS. Retrieved '
'December 8, 2017.',
'source_name': 'ENSIL AtomBombing Oct 2016',
'url': 'https://blog.ensilo.com/atombombing-brand-new-code-injection-for-windows'},
{'description': 'Microsoft. (n.d.). About Atom '
'Tables. Retrieved December 8, 2017.',
'source_name': 'Microsoft Atom Table',
'url': 'https://msdn.microsoft.com/library/windows/desktop/ms649053.aspx'},
{'description': 'Hosseini, A. (2017, July 18). Ten '
'Process Injection Techniques: A '
'Technical Survey Of Common And '
'Trending Process Injection '
'Techniques. Retrieved December 7, '
'2017.',
'source_name': 'Elastic Process Injection July 2017',
'url': 'https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process'}],
'id': 'attack-pattern--7c0f17c9-1af6-4628-9cbd-9e45482dd605',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'defense-evasion'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'privilege-escalation'}],
'modified': '2025-10-24T17:49:00.298Z',
'name': 'Asynchronous Procedure Call',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows'],
'x_mitre_version': '1.2'}