EXPLORE

← Back to Explore

T1106

Native API

Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations...

LinuxmacOSWindows

29

Detections

2

Sources

20

Threat Actors

BY SOURCE

16elastic13sigma

PROCEDURES (21)

Process Creation Monitoring4 detections

Auto-extracted: 4 detections for process creation monitoring

Dump2 detections

Auto-extracted: 2 detections for dump

General Monitoring2 detections

Auto-extracted: 2 detections for general monitoring

Lateral2 detections

Auto-extracted: 2 detections for lateral

Script Block2 detections

Auto-extracted: 2 detections for script block

Powershell2 detections

Auto-extracted: 2 detections for powershell

Process Access Monitoring1 detections

Auto-extracted: 1 detections for process access monitoring

Process Access1 detections

Auto-extracted: 1 detections for process access

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Inject1 detections

Auto-extracted: 1 detections for inject

Inject1 detections

Auto-extracted: 1 detections for inject

Api1 detections

Auto-extracted: 1 detections for api

Powershell1 detections

Auto-extracted: 1 detections for powershell

Credential1 detections

Auto-extracted: 1 detections for credential

Network Connection Monitoring1 detections

Auto-extracted: 1 detections for network connection monitoring

Bypass1 detections

Auto-extracted: 1 detections for bypass

Lateral1 detections

Auto-extracted: 1 detections for lateral

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Script Execution Monitoring1 detections

Auto-extracted: 1 detections for script execution monitoring

Api1 detections

Auto-extracted: 1 detections for api

Dump1 detections

Auto-extracted: 1 detections for dump

THREAT ACTORS (20)

APT37 APT38 BlackTech Chimera Gamaredon Group Gorgon Group Higaisa Kimsuky Lazarus Group Medusa Group menuPass Mustang Panda Sandworm Team SideCopy Silence TA505 ToddyCat Tropic Trooper Turla WIRTE

DETECTIONS (29)

Abnormal Process ID or Lock File Created

BPFDoor Abnormal Process ID or Lock File Accessed

HackTool - CobaltStrike BOF Injection Pattern

HackTool - HandleKatz Duplicating LSASS Handle

HackTool - RedMimicry Winnti Playbook Execution

HackTool - WinPwn Execution

HackTool - WinPwn Execution - ScriptBlock

LSASS Process Access via Windows API

Network Connection from Binary with RWX Memory Region

Persistence via Hidden Run Key Detected

Potential Binary Proxy Execution Via Cdb.EXE

Potential Credential Access via LSASS Memory Dump

Potential Direct Syscall of NtOpenProcess

Potential Process Injection via PowerShell

Potential WinAPI Calls Via CommandLine

Potential WinAPI Calls Via PowerShell Scripts

PowerShell Kerberos Ticket Dump

PowerShell Keylogging Script

PowerShell PSReflect Script

PowerShell Script with Token Impersonation Capabilities

PowerShell Share Enumeration Script

PowerShell Suspicious Discovery Related Windows API Functions

PowerShell Suspicious Script with Audio Capture Capabilities

Suspicious Mshta.EXE Execution Patterns

Suspicious Process Access via Direct System Call

Suspicious SolarWinds Child Process

Unknown Execution of Binary with RWX Memory Region

WinAPI Function Calls Via PowerShell Scripts

WinAPI Library Calls Via PowerShell Scripts