Calls made by a process to operating system-provided Application Programming Interfaces (APIs). These calls are essential for interacting with system resources such as memory, files, and hardware, or for performing system-level tasks. Monitoring these calls can provide insight into a process's intent, especially if the process is malicious.
| Name | Channel |
|---|---|
| android:logcat | SELinux AVC for execmem/execute_no_trans/mprotect following recent writes by same UID |
| android:logcat | QUERY on exported ContentProviders of other packages (content:// |
| android:logcat | ClipboardManager (addOnPrimaryClipChangedListener|getPrimaryClip|getPrimaryClipDescription) invoked by |
| android:logcat | AccessibilityService connected|TYPE_VIEW_TEXT_CHANGED|TYPE_VIEW_FOCUSED events for other packages |
| android:logcat | TYPE_WINDOW_STATE_CHANGED / TYPE_VIEW_FOCUSED shows foreign target package in foreground |
| android:logcat | PackageManager getInstalledApplications|getInstalledPackages|getPackagesHoldingPermissions burst for |
| android:logcat | getInstalledPackages/getPackagesHoldingPermissions with filters for known security/MDM/VPN package names. Queries to isDeviceOwnerApp/isProfileOwnerApp/getActiveAdmins/getPermissionGrantState. Requests list of enabled services or monitors TYPE_WINDOW_STATE_CHANGED to time checks |
| android:logcat | ACTION_VIEW redirect_uri handled by unexpected package |
| android:logcat | canOpenURL/LSApplicationWorkspace resolved to unexpected bundle for redirect_uri |
| android:logcat | query() against MediaStore/DocumentsContract URIs (Images/Video/Audio/Downloads/DocumentTree) |
| android:logcat | wifiservice startScan / scanResults retrieved repeatedly or by unexpected package |
| android:logcat | bluetoothmanager startDiscovery / getBondedDevices / scan callback bursts by package |
| android:logcat | telephony cell info enumeration bursts (neighboring/all cell info) by package |
| android:logcat | repeated queries or dumps related to running tasks/services/process state by same package/UID (e.g., getRunningAppProcesses, running services/task inspection) |
| android:logcat | Application accesses android.os.Build fields or device configuration APIs (MODEL, MANUFACTURER, VERSION.SDK_INT, HARDWARE) |
| android:logcat | Invocation of MediaRecorder.start(), AudioRecord.startRecording(), or VOICE_CALL audio source |
| android:logcat | Application invokes LocationManager, FusedLocationProviderClient, or GPS/location sensor APIs |
| android:logcat | Invocation of Calendar.set() and Calendar.add() |
| android:logcat | Invocation of CallLogs.getLastOutgoingCall() |
| android:logcat | Invocation of ContactsContract.Contacts.getLookupUri() and/or ContactsContract.Contacts.lookupContact() |
| android:logcat | Invocation of AccountManager.getAccounts() |
| AndroidLogs:Kernel | Unprivileged app process (app UID, non-system) invoking sensitive syscalls or device interfaces associated with privilege escalation (setuid, ptrace, perf_event_open, vulnerable drivers) |
| auditd:MMAP | memory region with RWX permissions allocated |
| auditd:SYSCALL | ptrace, ioctl |
| auditd:SYSCALL | Rules capturing clock_gettime, time, gettimeofday syscalls when enabled |
| auditd:SYSCALL | openat/read/ioctl: openat/read/ioctl on /dev/video* by uncommon user/process |
| auditd:SYSCALL | mmap, ptrace, process_vm_writev or direct memory ops |
| auditd:SYSCALL | unshare, mount, keyctl, setns syscalls executed by containerized processes |
| auditd:SYSCALL | send, recv, write: Abnormal interception or alteration of transmitted data |
| auditd:SYSCALL | sudo or pkexec invocation |
| auditd:SYSCALL | mount system call with bind or remap flags |
| auditd:SYSCALL | fork/clone/daemon syscall tracing |
| auditd:SYSCALL | ptrace, mmap, mprotect, open, dlopen |
| auditd:SYSCALL | ptrace, mmap, process_vm_writev |
| auditd:SYSCALL | execve of dd or sed targeting /proc/*/mem |
| AWS:CloudTrail | GetMetadata, DescribeInstanceIdentity |
| AWS:CloudTrail | Describe* or List* API calls |
| AWS:CloudTrail | Decrypt |
| EDR:file | SetFileTime |
| EDR:memory | Behavioral API telemetry (GetProcAddress, LoadLibrary, VirtualAlloc) |
| EDR:memory | API usage MFCreateDeviceSource, IAMStreamConfig, ICaptureGraphBuilder2, DirectShow filter graph creation from uncommon callers |
| EDR:memory | Objective‑C/Swift calls to AVCaptureDevice/AVCaptureSession by non-whitelisted processes |
| EDR:memory | VirtualAlloc/VirtualProtect/MapViewOfFile indicators via stack/heap activity and ImageLoad |
| EDR:memory | MemoryWriteToExecutable |
| esxi:hostd | Remote access API calls and file uploads |
| ETW | Calls to GetUserDefaultUILanguage, GetSystemDefaultUILanguage, GetKeyboardLayoutList |
| etw:Microsoft-Windows-Directory-Services-SAM | api_call: Calls to DsAddSidHistory or related RPC operations |
| etw:Microsoft-Windows-DotNETRuntime | AssemblyLoad/ModuleLoad (Loader keyword) from Microsoft-Windows-DotNETRuntime |
| etw:Microsoft-Windows-Kernel-Base | GetLocaleInfoW, GetTimeZoneInformation API calls |
| etw:Microsoft-Windows-Kernel-File | ZwSetEaFile or ZwQueryEaFile function calls |
| etw:Microsoft-Windows-Kernel-Process | API tracing / stack tracing via ETW or telemetry-based EDR |
| etw:Microsoft-Windows-Kernel-Process | APCQueueOperations |
| etw:Microsoft-Windows-Kernel-Process | High-frequency or suspicious sequence of QueryPerformanceCounter/GetTickCount API calls from a non-standard process lineage |
| etw:Microsoft-Windows-Kernel-Process | API Calls |
| etw:Microsoft-Windows-Kernel-Process | NtQueryInformationProcess |
| etw:Microsoft-Windows-Kernel-Process | NtUnmapViewOfSection, VirtualAllocEx, WriteProcessMemory, SetThreadContext, ResumeThread |
| etw:Microsoft-Windows-Kernel-Process | api_call: UpdateProcThreadAttribute (PROC_THREAD_ATTRIBUTE_PARENT_PROCESS) and CreateProcess* with EXTENDED_STARTUPINFO_PRESENT / StartupInfoEx |
| etw:Microsoft-Windows-Kernel-Process | API calls |
| etw:Microsoft-Windows-Kernel-Process | CreateTransaction, CreateFileTransacted, RollbackTransaction, NtCreateProcessEx, NtCreateThreadEx |
| etw:Microsoft-Windows-Kernel-Process | WriteProcessMemory: WriteProcessMemory targeting regions containing KernelCallbackTable addresses |
| etw:Microsoft-Windows-RPC | rpc_call: srvsvc.NetShareEnum / NetShareEnumAll from non-admin or unusual processes |
| etw:Microsoft-Windows-Security-Auditing | api_call: LogonUser(A|W), LsaLogonUser, SetThreadToken, ImpersonateLoggedOnUser |
| etw:Microsoft-Windows-Win32k | SetWindowLong, SetClassLong, NtUserMessageCall, SendNotifyMessage, PostMessage |
| etw:Microsoft-Windows-Win32k | SendMessage, PostMessage, LVM_* |
| ETW:ProcThread | api_call: CreateProcessWithTokenW, CreateProcessAsUserW |
| ETW:Token | token_analysis: API calls such as DuplicateTokenEx or ImpersonateLoggedOnUser |
| ETW:Token | api_call: DuplicateTokenEx, ImpersonateLoggedOnUser, SetThreadToken |
| fs:fsusage | Detached process execution with no associated parent |
| iOS:unifiedlog | mmap/mprotect transitions to PROT_EXEC for pages associated with recently written files |
| iOS:unifiedlog | LSApplicationWorkspace or canOpenURL probe bursts for many URL schemes |
| iOS:unifiedlog | Queries indicating MDM profile presence, supervised state, restrictions read. LSApplicationWorkspace enumeration or app proxy queries referencing security vendors |
| iOS:unifiedlog | enumeratorForContainerItemIdentifier / itemForIdentifier across multiple containers/providers |
| iOS:unifiedlog | Application invokes UIDevice queries (model, systemVersion, name) |
| iOS:unifiedlog | Invocation of AVAudioRecorder, AVCaptureSession, or related audio capture framework calls |
| iOS:unifiedlog | Application activates CoreLocation services or CLLocationManager APIs |
| iOS:unifiedlog | Supplemental anomaly in baseband, IOKit, accessory, security, or activation-related subsystem logging temporally adjacent to suspicious posture or network behavior |
| iOS:unifiedlog | Supplemental managed app or system subsystem anomalies near install/update, launch services, extension handling, app activation, or background execution temporally adjacent to suspicious network or lifecycle behavior |
| iOS:unifiedlog | Supplemental launch, background task, networking, or extension-handling anomalies occur temporally adjacent to suspicious web-service communication from a managed app or supervised device |
| iOS:unifiedlog | Background task or networking subsystem event occurred immediately before resolver retrieval and pivot connection sequence |
| iOS:unifiedlog | Background task, networking, or app-activation subsystem event occurred immediately before or during retrieve-then-write exchange with public web-service platform |
| iOS:unifiedlog | Camera, media capture, app-activation, or background-task subsystem event occurred immediately before or during sustained camera session from same managed-app or device context |
| linux:syslog | Execution of modified binaries or abnormal library load sequences |
| macos:osquery | open, execve: Unexpected processes accessing or modifying critical files |
| macos:osquery | CALCULATE: Integrity validation of transmitted data via hash checks |
| macos:unifiedlog | None |
| macos:unifiedlog | Invocation of SMLoginItemSetEnabled by non-system or recently installed application |
| macos:unifiedlog | flock|NSDistributedLock|FileHandle.*lockForWriting |
| macos:unifiedlog | application logs referencing NSTimer, sleep, or launchd delays |
| macos:unifiedlog | Access decisions to kTCCServiceCamera for unexpected binaries |
| macos:unifiedlog | audio APIs |
| macos:unifiedlog | com.apple.securityd, com.apple.tccd |
| macos:unifiedlog | authorization execute privilege requests |
| macos:unifiedlog | ptrace: Processes invoking ptrace with PTRACE_TRACEME flag |
| macos:unifiedlog | Calls to AuthorizationExecuteWithPrivileges() observed via Apple System Logger or security_auditing tools |
| macos:unifiedlog | access or unlock attempt to keychain database |
| macos:unifiedlog | Execution of input detection APIs (e.g., CGEventSourceKeyState) |
| MobileEDR:telemetry | Framework-based networking usage spikes or uncommon networking stacks observed by agent telemetry (e.g., repeated URLSession/OkHttp-like patterns) without corresponding foreground/user interaction |
| MobileEDR:telemetry | Agent-observable telephony subscription/state API signals indicating SIM/eSIM subscription change (vendor-agnostic: 'telephony subscription changed') |
| MobileEDR:telemetry | Accessibility framework usage patterns such as event subscription, performAction invocation, node traversal, text change observation, or overlay/window presentation correlated to app identity |
| MobileEDR:telemetry | Browser/WebView framework usage indicating external URL load, script execution enablement, file download initiation, intent handoff, or package install prompt sequence |
| MobileEDR:telemetry | Observed device-service, trust-service, backup/service interaction, or other privileged framework activity associated with physical host access |
| MobileEDR:telemetry | Connectivity manager, telephony, Wi-Fi, network callback, or location-provider framework reports repeated unavailable, disconnected, suspended, or degraded state transitions |
| MobileEDR:telemetry | Observed network-path, reachability, DNS, transport, or location-provider framework reports repeated unavailable or failed state near active device use |
| MobileEDR:telemetry | Content resolver, document provider, media store, storage access framework, bulk stream processing, or repeated crypto-adjacent framework use observed during multi-file transformation |
| MobileEDR:telemetry | Known application begins first-seen or expanded use of content providers, account services, accessibility, package services, cryptographic routines, dynamic loading, or other framework interactions after update/install |
| MobileEDR:telemetry | Known application begins first-seen or expanded use of protected frameworks, account services, background task APIs, crypto/network service APIs, or other runtime behaviors after update/install |
| MobileEDR:telemetry | Known application begins first-seen or expanded use of account services, accessibility, content providers, dynamic loading, package services, WebView bridges, crypto/network APIs, or advertising/telemetry-adjacent framework behavior after install or update |
| MobileEDR:telemetry | Privileged or OEM-context framework/API use tied to telephony, device policy, accessibility, overlay, input injection, package visibility, or protected settings modification from an identity not expected for the device model or approved image |
| MobileEDR:telemetry | Recently installed or updated trusted app invokes Android framework paths or special access patterns inconsistent with its role, including accessibility-like behavior, overlay behavior, package visibility expansion, protected settings access, device policy interaction, or unusual IPC/provider access |
| MobileEDR:telemetry | App uses Android framework behaviors associated with background work scheduling, network job execution, IPC/provider access, overlay or accessibility-like interaction, or unusual package visibility immediately adjacent to web-service communication |
| MobileEDR:telemetry | Background work scheduler, job execution, or persistent service triggered network request to public web-service followed by second outbound connection within TimeWindow |
| MobileEDR:telemetry | Background work scheduler, job execution, foreground-service start, or persistent service activation immediately preceded retrieve-then-write exchange with public web-service platform |
| MobileEDR:telemetry | Background work scheduler, job execution, foreground-service start, or persistent service activation immediately preceded outbound session using non-standard protocol-to-port pairing |
| MobileEDR:telemetry | MediaProjection-style screen capture session began from app identity while a different app was foregrounded and capture path was not mapped to approved recording workflow |
| MobileEDR:telemetry | Accessibility-service activity from app identity coincided with foreground content observation and subsequent screenshot, frame buffer, or screenrecord artifact behavior within TimeWindow |
| MobileEDR:telemetry | Privileged screencap, screenrecord, adb-driven capture, or root-context screen acquisition behavior occurred from app, shell, or elevated identity while foreground app context changed or sensitive app remained active |
| MobileEDR:telemetry | Accessibility-enabled app invoked programmatic click or action on behalf of user while a different app was foregrounded and injected action was not mapped to approved accessibility or autofill workflow |
| MobileEDR:telemetry | Accessibility-enabled app invoked global action such as back, home, recents, or navigation control while target foreground app context changed within TimeWindow |
| MobileEDR:telemetry | Accessibility-enabled app inserted text into active field of different foreground app without user keyboard activity or approved autofill relationship |
| MobileEDR:telemetry | App intercepts notification content from external package (e.g., messaging/auth apps) while in background OR without recent user interaction |
| MobileEDR:telemetry | App invokes cryptographic functions (e.g., AES/RSA/KeyStore usage) on buffer data followed by encode/transform operations not tied to normal app workflows |
| MobileEDR:telemetry | App invokes symmetric encryption routines (e.g., AES/RC4 cipher initialization + encrypt operations) with repeated key usage across multiple data buffers |
| MobileEDR:telemetry | Symmetric key material reused across multiple encryption operations within short interval OR derived locally without secure hardware-backed storage |
| MobileEDR:telemetry | App invokes asymmetric cryptographic operations (e.g., RSA/ECC keypair generation OR public key encryption OR signature operations) on outbound data buffers |
| MobileEDR:telemetry | Keypair generation, import, or access events (public/private key usage) occurring prior to network communication |
| MobileEDR:telemetry | Application invokes custom TLS trust evaluation logic or pin validation routines (e.g., custom TrustManager, HostnameVerifier override, certificate/public key comparison) immediately before outbound TLS session establishment |
| MobileEDR:telemetry | Application invokes archive, compression, or bulk-buffer packaging routines on previously accessed local data within the same execution chain |
| MobileEDR:telemetry | Application encrypts newly created archive or staged data blob after collection and before storage or outbound transfer |
| MobileEDR:telemetry | Application performs bulk data transformation or packaging-like processing on collected records prior to file creation or upload |
| MobileEDR:telemetry | Application queries or opens multiple local SQLite or app-associated database stores containing records unrelated to the app's declared function during the collection phase |
| MobileEDR:telemetry | Application performs repeated record access, container traversal, or local data extraction processing against local stores before staging or transmission |
| MobileEDR:telemetry | Application calls startForegroundService() or startForeground() / ServiceCompat.startForeground() and transitions to persistent foreground-service execution at the start of the chain |
| MobileEDR:telemetry | Application invokes direct file retrieval, DownloadManager usage, or streaming write from network response to local storage immediately after remote session establishment |
| MobileEDR:telemetry | Managed app performs post-download unpacking, dynamic resource handling, or module preparation immediately after local payload creation |
| MobileEDR:telemetry | Application loads or resolves native shared library (.so) or JNI bridge immediately before suspicious native execution phase |
| MobileEDR:telemetry | Application transitions from managed code into JNI/native function execution or attaches native thread to runtime during the execution phase |
| MobileEDR:telemetry | Existing application is replaced, updated, or reinstalled and the resulting package metadata, code sections, or executable-supporting artifacts diverge from known-good baseline during the persistence-establishment phase |
| MobileEDR:telemetry | Application invokes SMS send, intercept, delete, or provider-write behavior, including handling SMS_DELIVER or interacting with SMS content provider during unauthorized message-control phase |
| MobileEDR:telemetry | Application enqueues WorkManager work request or schedules JobScheduler or AlarmManager task with delay, periodic interval, or execution constraints during the persistence/execution setup phase |
| MobileEDR:telemetry | Application creates or executes NSBackgroundActivityScheduler activity with repeating or deferred invocation semantics during the scheduling and trigger phases |
| MobileEDR:telemetry | Application initializes proxy-capable or raw-socket networking constructs, including SOCKS-capable Proxy API usage or direct socket listener/setup immediately before traffic relay phase |
| MobileEDR:telemetry | Application invokes call placement, answer, redirect, block, screening, or ConnectionService call-handling APIs during unauthorized call-control phase |
| MobileEDR:telemetry | application process loads external code modules or injects into runtime (zygote/app_process) + abnormal library loading or method interception behavior |
| MobileEDR:telemetry | Application registers broadcast receiver, WorkManager job, JobScheduler task, or intent filter tied to system event such as BOOT_COMPLETED, SMS_RECEIVED, CONNECTIVITY_CHANGE during persistence setup phase |
| MobileEDR:telemetry | application registers or invokes broadcast receiver via registerReceiver() or manifest-declared receiver + intent filter tied to system or app events |
| MobileEDR:telemetry | application launches or executes code where loaded library or component path does not match application package path or expected signing context |
| MobileEDR:telemetry | multiple applications invoking core system APIs (e.g., sensor, permission, telephony) with abnormal or inconsistent return values across apps within short interval |
| MobileEDR:telemetry | device integrity degradation + root detected or system partition modification affecting runtime libraries (e.g., /system/lib*, /vendor/lib*) |
| MobileEDR:telemetry | application invokes privileged framework APIs (Accessibility events, UI automation, package install flows) immediately following permission grant |
| MobileEDR:telemetry | application invokes DevicePolicyManager APIs (e.g., resetPassword, lockNow, setCameraDisabled) immediately following admin activation |
| MobileEDR:telemetry | application queries target-selection attributes (e.g., location, SIM/operator, locale, device state, network identity) and then conditionally invokes sensitive framework APIs only after expected value is observed |
| MobileEDR:telemetry | application exhibits repeated environment-context evaluation followed by delayed privileged framework use only after target-specific match |
| MobileEDR:telemetry | application invokes geolocation or geofencing framework operations (e.g., location polling or geofence registration/evaluation) and sensitive framework activity begins only after region match or location threshold condition |
| MobileEDR:telemetry | application exhibits repeated location-context evaluation followed by delayed privileged framework use or feature activation only after target region match |
| MobileEDR:telemetry | application invokes package or component state changes affecting launcher-facing activity availability and subsequently continues operational framework activity after icon suppression |
| MobileEDR:telemetry | application invokes motion-sensor or device-activity framework operations followed by conditional execution of sensitive framework activity only after inferred user absence |
| MobileEDR:telemetry | application invokes system framework operations that alter monitoring, accessibility, or execution visibility followed by reduction in expected telemetry generation |
| MobileEDR:telemetry | application invokes accessibility global actions (back/home/recents) or observes package-management UI immediately after uninstall/settings screen becomes foreground |
| MobileEDR:telemetry | application invokes lock-related or UI-denial framework operations, including DevicePolicyManager lock actions, persistent overlay behavior, or accessibility-driven navigation interference immediately before device enters locked or unusable state |
| MobileEDR:telemetry | application invokes package, settings, or privileged framework operations capable of disabling security software, altering security enforcement, or interfering with reporting before telemetry loss |
| MobileEDR:telemetry | application invokes uninstall-related package-management operations, accessibility-driven uninstall confirmation actions, or privileged file-removal operations immediately before installed-state loss |
| MobileEDR:telemetry | application invokes file-management, package, storage, or administrative wipe operations immediately before loss of expected local files or file collections |
| networkdevice:syslog | aaa privilege_exec |
| networkdevice:syslog | Unexpected reload, crashinfo, or boot message not tied to scheduled maintenance |
| NSM:Flow | smb_command: TreeConnectAndX to \\*\IPC$ / srvsvc or Trans2/NT_CREATE for listing shares |
| Process | None |
| snmp:trap | management queries |
| WinEventLog:Application | API call to AddMonitor invoked by non-installer process |
| WinEventLog:Microsoft-Windows-COM/Operational | CLSID activation events where ProcessName=mmc.exe and CLSID not in allowed baseline |
| WinEventLog:Security | EventCode=4663, 4670, 4656 |