Picus Security Details MITRE ATT&CK Asynchronous Procedure Call Technique

Cybersecurity firm Picus Security has published a detailed analysis of the MITRE ATT&CK T1055.004 technique, termed Asynchronous Procedure Call (APC). This method enables adversaries to execute malicious code within a target process by exploiting Windows' built-in APC mechanism.

Picus Security explains how attackers leverage APCs by queuing them to a thread within a legitimate process. When the thread reaches an "alertable state," it executes the queued APC routine, which can contain malicious code. This allows attackers to run malware and bypass traditional security measures, as the malicious activity occurs within the context of an approved process.

The analysis outlines the attack lifecycle step-by-step, starting from acquiring handles to a target process and thread, to allocating memory and writing the malicious payload (shellcode). Finally, it describes how an APC call is queued to execute the code by exploiting the thread's alertable state.

The publication highlights the stealthy nature of APC injection, as it can mimic legitimate system operations, making it difficult to detect. Picus Security's report provides a deeper understanding of this advanced technique and its exploitation in cyberattacks.