Adversaries may migrate APC queue tasks to evade detection by moving malicious activity to a less monitored system component. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential evasion tactics and uncover hidden malicious processes.
YARA Rule
rule migrate_apc {
meta:
author = "x0r"
description = "APC queue tasks migration"
version = "0.1"
strings:
$c1 = "OpenThread"
$c2 = "QueueUserAPC"
condition:
all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 2 string patterns in its detection logic.
Scenario: Scheduled maintenance task using PowerShell to clean up APC queue tasks
Filter/Exclusion: process.name != "powershell.exe" or check for known maintenance scripts in a trusted directory (e.g., C:\Windows\System32\)
Scenario: SQL Server Agent Job performing routine APC queue cleanup
Filter/Exclusion: process.name != "sqlservr.exe" or check for job names matching known maintenance jobs (e.g., CleanupAPCQueue)
Scenario: Windows Task Scheduler running a script to migrate APC queue tasks during off-peak hours
Filter/Exclusion: process.name != "schtasks.exe" or filter by task name (e.g., APCMigrationTask)
Scenario: System Center Configuration Manager (SCCM) performing a system health check that triggers APC queue activity
Filter/Exclusion: process.name != "smsexec.exe" or check for SCCM-related processes and known health check tasks
Scenario: Third-party application (e.g., Microsoft System Center Operations Manager) performing a scheduled APC queue migration
Filter/Exclusion: process.name != "omsagent.exe" or check for known application-specific process names and task IDs