← Back to Explore
sigmahighHunting
Potential WinAPI Calls Via CommandLine
Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec
Detection Query
selection:
CommandLine|contains:
- AddSecurityPackage
- AdjustTokenPrivileges
- Advapi32
- CloseHandle
- CreateProcessWithToken
- CreatePseudoConsole
- CreateRemoteThread
- CreateThread
- CreateUserThread
- DangerousGetHandle
- DuplicateTokenEx
- EnumerateSecurityPackages
- FreeHGlobal
- FreeLibrary
- GetDelegateForFunctionPointer
- GetLogonSessionData
- GetModuleHandle
- GetProcAddress
- GetProcessHandle
- GetTokenInformation
- ImpersonateLoggedOnUser
- kernel32
- LoadLibrary
- memcpy
- MiniDumpWriteDump
- ntdll
- OpenDesktop
- OpenProcess
- OpenProcessToken
- OpenThreadToken
- OpenWindowStation
- PtrToString
- QueueUserApc
- ReadProcessMemory
- RevertToSelf
- RtlCreateUserThread
- secur32
- SetThreadToken
- VirtualAlloc
- VirtualFree
- VirtualProtect
- WaitForSingleObject
- WriteInt32
- WriteProcessMemory
- ZeroFreeGlobalAllocUnicode
filter_optional_mpcmdrun:
Image|endswith: \MpCmdRun.exe
CommandLine|contains: GetLoadLibraryWAddress32
filter_optional_compatTelRunner:
ParentImage|endswith: \CompatTelRunner.exe
CommandLine|contains:
- FreeHGlobal
- PtrToString
- kernel32
- CloseHandle
condition: selection and not 1 of filter_optional_*
Author
Nasreddine Bencherchali (Nextron Systems)
Created
2022-09-06
Data Sources
windowsProcess Creation Events
Platforms
windows
Tags
attack.executionattack.t1106
Raw Content
title: Potential WinAPI Calls Via CommandLine
id: ba3f5c1b-6272-4119-9dbd-0bc8d21c2702
related:
- id: 03d83090-8cba-44a0-b02f-0b756a050306
type: derived
status: test
description: Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec
references:
- https://twitter.com/m417z/status/1566674631788007425
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-06
modified: 2025-03-06
tags:
- attack.execution
- attack.t1106
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- 'AddSecurityPackage'
- 'AdjustTokenPrivileges'
- 'Advapi32'
- 'CloseHandle'
- 'CreateProcessWithToken'
- 'CreatePseudoConsole'
- 'CreateRemoteThread'
- 'CreateThread'
- 'CreateUserThread'
- 'DangerousGetHandle'
- 'DuplicateTokenEx'
- 'EnumerateSecurityPackages'
- 'FreeHGlobal'
- 'FreeLibrary'
- 'GetDelegateForFunctionPointer'
- 'GetLogonSessionData'
- 'GetModuleHandle'
- 'GetProcAddress'
- 'GetProcessHandle'
- 'GetTokenInformation'
- 'ImpersonateLoggedOnUser'
- 'kernel32'
- 'LoadLibrary'
- 'memcpy'
- 'MiniDumpWriteDump'
# - 'msvcrt'
- 'ntdll'
- 'OpenDesktop'
- 'OpenProcess'
- 'OpenProcessToken'
- 'OpenThreadToken'
- 'OpenWindowStation'
- 'PtrToString'
- 'QueueUserApc'
- 'ReadProcessMemory'
- 'RevertToSelf'
- 'RtlCreateUserThread'
- 'secur32'
- 'SetThreadToken'
# - 'user32'
- 'VirtualAlloc'
- 'VirtualFree'
- 'VirtualProtect'
- 'WaitForSingleObject'
- 'WriteInt32'
- 'WriteProcessMemory'
- 'ZeroFreeGlobalAllocUnicode'
filter_optional_mpcmdrun:
Image|endswith: '\MpCmdRun.exe'
CommandLine|contains: 'GetLoadLibraryWAddress32'
filter_optional_compatTelRunner:
ParentImage|endswith: '\CompatTelRunner.exe'
CommandLine|contains:
- 'FreeHGlobal'
- 'PtrToString'
- 'kernel32'
- 'CloseHandle'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Some legitimate action or applications may use these functions. Investigate further to determine the legitimacy of the activity.
level: high