Why does APC injection succeed in evading Sysmon compared to CreateRemoteThread?

Sysmon specifically monitors for the `CreateRemoteThread` API call (Event ID 8), which is the classic method to start a remote thread in another process. APC injection, however, uses `QueueUserAPC` to attach code to an existing thread's asynchronous procedure call queue. No new thread is spawned, so the event is never generated. This technique is a practical example of how attackers adapt to monitoring tools, similar to bypass strategies in Windows Shellcode Study Notes - Bypassing DEP with VirtualAlloc or Penetration Basics - Bypassing SSH Logs.