T1106: Native API

Data from MITRE ATT&CK®:

Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.

Adversaries may abuse these OS API functions as a means of executing behaviors. Similar to Command and Scripting Interpreter, the native API and its hierarchy of interfaces provide mechanisms to interact with and utilize various components of a victimized system.

Native API functions (such as NtCreateProcess) may be directed invoked via system calls / syscalls, but these features are also often exposed to user-mode applications via interfaces and libraries.(Citation: OutFlank System Calls)(Citation: CyberBit System Calls)(Citation: MDSec System Calls) For example, functions such as the Windows API CreateProcess() or GNU fork() will allow programs and scripts to start other processes.(Citation: Microsoft CreateProcess)(Citation: GNU Fork) This may allow API callers to execute a binary, run a CLI command, load modules, etc. as thousands of similar API functions exist for various system operations.(Citation: Microsoft Win32)(Citation: LIBC)(Citation: GLIBC)

Higher level software frameworks, such as Microsoft .NET and macOS Cocoa, are also available to interact with native APIs. These frameworks typically provide language wrappers/abstractions to API functionalities and are designed for ease-of-use/portability of code.(Citation: Microsoft NET)(Citation: Apple Core Services)(Citation: MACOS Cocoa)(Citation: macOS Foundation)

Adversaries may use assembly to directly or in-directly invoke syscalls in an attempt to subvert defensive sensors and detection signatures such as user mode API-hooks.(Citation: Redops Syscalls) Adversaries may also attempt to tamper with sensors and defensive tools associated with API monitoring, such as unhooking monitored functions via Disable or Modify Tools.

© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Execution Prevention

Block execution of code on a system through application control, and/or script blocking.

Behavior Prevention on Endpoint

Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.

OS API Execution (Process)

Operating system function/method calls executed by a process

Module Load (Module)

Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)

WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique

windows

WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique

windows

WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique

windows

Run Shellcode via Syscall in Go

windows

Execution through API - CreateProcess

windows

Potential WinAPI Calls Via CommandLine

windows process creation

HackTool - CobaltStrike BOF Injection Pattern

windows process access

BPFDoor Abnormal Process ID or Lock File Accessed

linux

WinDbg/CDB LOLBIN Usage

windows process creation

HackTool - WinPwn Execution - ScriptBlock

windows ps script

HackTool - WinPwn Execution

windows process creation

HackTool - RedMimicry Winnti Playbook Execution

windows process creation

HackTool - HandleKatz Duplicating LSASS Handle

windows process access

Potential Direct Syscall of NtOpenProcess

windows process access

Potential WinAPI Calls Via PowerShell Scripts

windows ps script

Suspicious Mshta.EXE Execution Patterns

windows process creation