EXPLORE

← Back to Explore

T1106

Native API

Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations...

LinuxmacOSWindows

27

Detections

2

Sources

18

Threat Actors

BY SOURCE

16elastic11sigma

PROCEDURES (20)

Process Creation Monitoring4 detections

Auto-extracted: 4 detections for process creation monitoring

Lsass2 detections

Auto-extracted: 2 detections for lsass

Lateral2 detections

Auto-extracted: 2 detections for lateral

Script Block2 detections

Auto-extracted: 2 detections for script block

General Monitoring2 detections

Auto-extracted: 2 detections for general monitoring

Lsass1 detections

Auto-extracted: 1 detections for lsass

Process Access Monitoring1 detections

Auto-extracted: 1 detections for process access monitoring

Process Access1 detections

Auto-extracted: 1 detections for process access

Api1 detections

Auto-extracted: 1 detections for api

Powershell1 detections

Auto-extracted: 1 detections for powershell

Inject1 detections

Auto-extracted: 1 detections for inject

Token1 detections

Auto-extracted: 1 detections for token

Lateral1 detections

Auto-extracted: 1 detections for lateral

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Process Access1 detections

Auto-extracted: 1 detections for process access

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Inject1 detections

Auto-extracted: 1 detections for inject

Script Execution Monitoring1 detections

Auto-extracted: 1 detections for script execution monitoring

Network Connection Monitoring1 detections

Auto-extracted: 1 detections for network connection monitoring

Api1 detections

Auto-extracted: 1 detections for api

THREAT ACTORS (18)

APT37 APT38 BlackTech Chimera Gamaredon Group Gorgon Group Higaisa Lazarus Group Medusa Group menuPass Mustang Panda Sandworm Team SideCopy Silence TA505 ToddyCat Tropic Trooper Turla

DETECTIONS (27)

Abnormal Process ID or Lock File Created

BPFDoor Abnormal Process ID or Lock File Accessed

HackTool - CobaltStrike BOF Injection Pattern

HackTool - HandleKatz Duplicating LSASS Handle

HackTool - RedMimicry Winnti Playbook Execution

HackTool - WinPwn Execution

HackTool - WinPwn Execution - ScriptBlock

LSASS Process Access via Windows API

Network Connection from Binary with RWX Memory Region

Persistence via Hidden Run Key Detected

Potential Binary Proxy Execution Via Cdb.EXE

Potential Credential Access via LSASS Memory Dump

Potential Direct Syscall of NtOpenProcess

Potential Process Injection via PowerShell

Potential WinAPI Calls Via CommandLine

Potential WinAPI Calls Via PowerShell Scripts

PowerShell Kerberos Ticket Dump

PowerShell Keylogging Script

PowerShell PSReflect Script

PowerShell Script with Token Impersonation Capabilities

PowerShell Share Enumeration Script

PowerShell Suspicious Discovery Related Windows API Functions

PowerShell Suspicious Script with Audio Capture Capabilities

Suspicious Mshta.EXE Execution Patterns

Suspicious Process Access via Direct System Call

Suspicious SolarWinds Child Process

Unknown Execution of Binary with RWX Memory Region