1. Home
  2. Data Components
  3. OS API Execution

OS API Execution

Calls made by a process to operating system-provided Application Programming Interfaces (APIs). These calls are essential for interacting with system resources such as memory, files, and hardware, or for performing system-level tasks. Monitoring these calls can provide insight into a process's intent, especially if the process is malicious.

Data Collection Measures:

  • Endpoint Detection and Response (EDR) Tools:
    • Leverage tools to monitor API execution behaviors at the process level.
    • Example: Sysmon Event ID 10 captures API call traces for process access and memory allocation.
  • Process Monitor (ProcMon):
    • Use ProcMon to collect detailed logs of process and API activity. ProcMon can provide granular details on API usage and identify malicious behavior during analysis.
  • Windows Event Logs:
    • Use Event IDs from Windows logs for specific API-related activities:
      • Event ID 4688: A new process has been created (can indirectly infer API use).
      • Event ID 4657: A registry value has been modified (to monitor registry-altering APIs).
  • Dynamic Analysis Tools:
    • Tools like Cuckoo Sandbox, Flare VM, or Hybrid Analysis monitor API execution during malware detonation.
  • Host-Based Logs:
    • On Linux/macOS systems, leverage audit frameworks (e.g., auditd, strace) to capture and analyze system call usage that APIs map to.
  • Runtime Monitors:
    • Runtime security tools like Falco can monitor system-level calls for API execution.
  • Debugging and Tracing:
    • Use debugging tools like gdb (Linux) or WinDbg (Windows) for deep tracing of API executions in real time.
ID: DC0021
Domains: ICS, Mobile, Enterprise
Version: 2.0
Created: 20 October 2021
Last Modified: 21 October 2025

Log Sources

Name Channel
auditd:MMAP memory region with RWX permissions allocated
auditd:SYSCALL ptrace, ioctl
auditd:SYSCALL Rules capturing clock_gettime, time, gettimeofday syscalls when enabled
auditd:SYSCALL openat/read/ioctl: openat/read/ioctl on /dev/video* by uncommon user/process
auditd:SYSCALL mmap, ptrace, process_vm_writev or direct memory ops
auditd:SYSCALL unshare, mount, keyctl, setns syscalls executed by containerized processes
auditd:SYSCALL send, recv, write: Abnormal interception or alteration of transmitted data
auditd:SYSCALL sudo or pkexec invocation
auditd:SYSCALL mount system call with bind or remap flags
auditd:SYSCALL fork/clone/daemon syscall tracing
auditd:SYSCALL ptrace, mmap, mprotect, open, dlopen
auditd:SYSCALL ptrace, mmap, process_vm_writev
auditd:SYSCALL execve of dd or sed targeting /proc/*/mem
AWS:CloudTrail GetMetadata, DescribeInstanceIdentity
AWS:CloudTrail Describe* or List* API calls
AWS:CloudTrail Decrypt
EDR:file SetFileTime
EDR:memory Behavioral API telemetry (GetProcAddress, LoadLibrary, VirtualAlloc)
EDR:memory API usage MFCreateDeviceSource, IAMStreamConfig, ICaptureGraphBuilder2, DirectShow filter graph creation from uncommon callers
EDR:memory Objective‑C/Swift calls to AVCaptureDevice/AVCaptureSession by non-whitelisted processes
EDR:memory VirtualAlloc/VirtualProtect/MapViewOfFile indicators via stack/heap activity and ImageLoad
EDR:memory MemoryWriteToExecutable
esxi:hostd Remote access API calls and file uploads
ETW Calls to GetUserDefaultUILanguage, GetSystemDefaultUILanguage, GetKeyboardLayoutList
etw:Microsoft-Windows-Directory-Services-SAM api_call: Calls to DsAddSidHistory or related RPC operations
etw:Microsoft-Windows-DotNETRuntime AssemblyLoad/ModuleLoad (Loader keyword) from Microsoft-Windows-DotNETRuntime
etw:Microsoft-Windows-Kernel-Base GetLocaleInfoW, GetTimeZoneInformation API calls
etw:Microsoft-Windows-Kernel-File ZwSetEaFile or ZwQueryEaFile function calls
etw:Microsoft-Windows-Kernel-Process API tracing / stack tracing via ETW or telemetry-based EDR
etw:Microsoft-Windows-Kernel-Process APCQueueOperations
etw:Microsoft-Windows-Kernel-Process High-frequency or suspicious sequence of QueryPerformanceCounter/GetTickCount API calls from a non-standard process lineage
etw:Microsoft-Windows-Kernel-Process API Calls
etw:Microsoft-Windows-Kernel-Process NtQueryInformationProcess
etw:Microsoft-Windows-Kernel-Process NtUnmapViewOfSection, VirtualAllocEx, WriteProcessMemory, SetThreadContext, ResumeThread
etw:Microsoft-Windows-Kernel-Process api_call: UpdateProcThreadAttribute (PROC_THREAD_ATTRIBUTE_PARENT_PROCESS) and CreateProcess* with EXTENDED_STARTUPINFO_PRESENT / StartupInfoEx
etw:Microsoft-Windows-Kernel-Process API calls
etw:Microsoft-Windows-Kernel-Process CreateTransaction, CreateFileTransacted, RollbackTransaction, NtCreateProcessEx, NtCreateThreadEx
etw:Microsoft-Windows-Kernel-Process WriteProcessMemory: WriteProcessMemory targeting regions containing KernelCallbackTable addresses
etw:Microsoft-Windows-RPC rpc_call: srvsvc.NetShareEnum / NetShareEnumAll from non-admin or unusual processes
etw:Microsoft-Windows-Security-Auditing api_call: LogonUser(A|W), LsaLogonUser, SetThreadToken, ImpersonateLoggedOnUser
etw:Microsoft-Windows-Win32k SetWindowLong, SetClassLong, NtUserMessageCall, SendNotifyMessage, PostMessage
etw:Microsoft-Windows-Win32k SendMessage, PostMessage, LVM_*
ETW:ProcThread api_call: CreateProcessWithTokenW, CreateProcessAsUserW
ETW:Token token_analysis: API calls such as DuplicateTokenEx or ImpersonateLoggedOnUser
ETW:Token api_call: DuplicateTokenEx, ImpersonateLoggedOnUser, SetThreadToken
fs:fsusage Detached process execution with no associated parent
linux:syslog Execution of modified binaries or abnormal library load sequences
macos:osquery open, execve: Unexpected processes accessing or modifying critical files
macos:osquery CALCULATE: Integrity validation of transmitted data via hash checks
macos:unifiedlog None
macos:unifiedlog Invocation of SMLoginItemSetEnabled by non-system or recently installed application
macos:unifiedlog flock|NSDistributedLock|FileHandle.*lockForWriting
macos:unifiedlog application logs referencing NSTimer, sleep, or launchd delays
macos:unifiedlog Access decisions to kTCCServiceCamera for unexpected binaries
macos:unifiedlog audio APIs
macos:unifiedlog com.apple.securityd, com.apple.tccd
macos:unifiedlog authorization execute privilege requests
macos:unifiedlog ptrace: Processes invoking ptrace with PTRACE_TRACEME flag
macos:unifiedlog Calls to AuthorizationExecuteWithPrivileges() observed via Apple System Logger or security_auditing tools
macos:unifiedlog access or unlock attempt to keychain database
macos:unifiedlog Execution of input detection APIs (e.g., CGEventSourceKeyState)
networkdevice:syslog aaa privilege_exec
networkdevice:syslog Unexpected reload, crashinfo, or boot message not tied to scheduled maintenance
NSM:Flow smb_command: TreeConnectAndX to \\*\IPC$ / srvsvc or Trans2/NT_CREATE for listing shares
Process None
snmp:trap management queries
WinEventLog:Application API call to AddMonitor invoked by non-installer process
WinEventLog:Microsoft-Windows-COM/Operational CLSID activation events where ProcessName=mmc.exe and CLSID not in allowed baseline
WinEventLog:Security EventCode=4656

Detection Strategy

ID Name Technique Detected
DET0283 Behavior-chain detection for T1134 Access Token Manipulation on Windows T1134
DET0482 Behavior-chain detection for T1134.001 Access Token Manipulation: Token Impersonation/Theft on Windows T1134.001
DET0456 Behavior-chain detection for T1134.002 Create Process with Token (Windows) T1134.002
DET0489 Behavior-chain detection for T1134.004 Access Token Manipulation: Parent PID Spoofing (Windows) T1134.004
DET0136 Behavior-chain detection for T1134.005 Access Token Manipulation: SID-History Injection (Windows) T1134.005
DET0182 Behavior-chain detection for T1135 Network Share Discovery across Windows, Linux, and macOS T1135
DET0151 Behavior-chain, platform-aware detection strategy for T1124 System Time Discovery T1124
DET0197 Behavior-chain, platform-aware detection strategy for T1125 Video Capture T1125
DET0100 Behavioral Detection of Asynchronous Procedure Call (APC) Injection via Remote Thread Queuing T1055.004
DET0102 Behavioral Detection of Input Capture Across Platforms T1056
DET0089 Behavioral Detection of Keylogging Activity Across Platforms T1056.001
DET0378 Behavioral Detection of Obfuscated Files or Information T1027
DET0508 Behavioral Detection of Process Injection Across Platforms T1055
DET0295 Behavioral Detection of Thread Execution Hijacking via Thread Suspension and Context Switching T1055.003
DET0093 Behavioral Detection of User Discovery via Local and Remote Enumeration T1033
DET0221 Behavioral Detection Strategy for T1123 Audio Capture Across Windows, Linux, macOS T1123
DET0498 Behavior‑chain detection for T1134.003 Make and Impersonate Token (Windows) T1134.003
DET0591 Cross-Platform Behavioral Detection of File Timestomping via Metadata Tampering T1070.006
DET0396 Detect Access to macOS Keychain for Credential Theft T1555.001
DET0430 Detect Credentials Access from Password Stores T1555
DET0141 Detect Time-Based Evasion via Sleep, Timer Loops, and Delayed Execution T1497.003
DET0420 Detect User Activity Based Sandbox Evasion via Input & Artifact Probing T1497.002
DET0222 Detecting MMC (.msc) Proxy Execution and Malicious COM Activation T1218.014
DET0635 Detection of Accounts T1636.005
DET0097 Detection of Application Window Enumeration via API or Scripting T1010
DET0749 Detection of Data from Local System T0893
DET0742 Detection of Execution through API T0871
DET0722 Detection of Hooking T0874
DET0750 Detection of Indicator Removal on Host T0872
DET0132 Detection of Mutex-Based Execution Guardrails Across Platforms T1480.002
DET0753 Detection of Native API T0834
DET0770 Detection of Network Connection Enumeration T0840
DET0751 Detection of Screen Capture T0852
DET0765 Detection of Service Stop T0881
DET0898 Detection of Spoofed User-Agent T1036.012
DET0320 Detection of System Network Connections Discovery Across Platforms T1049
DET0606 Detection of Virtualization Solution T1670
DET0541 Detection Strategy for /proc Memory Injection on Linux T1055.009
DET0345 Detection Strategy for Abuse Elevation Control Mechanism (T1548) T1548
DET0428 Detection Strategy for Bind Mounts on Linux T1564.013
DET0059 Detection Strategy for Data Manipulation T1565
DET0371 Detection Strategy for Debugger Evasion (T1622) T1622
DET0091 Detection Strategy for Dynamic API Resolution via Hash-Based Function Lookups T1027.007
DET0219 Detection Strategy for Escape to Host T1611
DET0217 Detection Strategy for Extra Window Memory (EWM) Injection on Windows T1055.011
DET0577 Detection Strategy for Hijack Execution Flow through the KernelCallbackTable on Windows. T1574.013
DET0331 Detection Strategy for ListPlanting Injection on Windows T1055.015
DET0443 Detection Strategy for Masquerading via Breaking Process Trees T1036.009
DET0246 Detection Strategy for MFA Interception via Input Capture and Smart Card Proxying T1111
DET0432 Detection Strategy for NTFS File Attribute Abuse (ADS/EAs) T1564.004
DET0544 Detection Strategy for Process Doppelgänging on Windows T1055.013
DET0382 Detection Strategy for Process Hollowing on Windows T1055.012
DET0203 Detection Strategy for Ptrace-Based Process Injection on Linux T1055.008
DET0300 Detection Strategy for Reflective Code Loading T1620
DET0391 Detection Strategy for Runtime Data Manipulation. T1565.003
DET0565 Detection Strategy for System Language Discovery T1614.001
DET0043 Detection Strategy for System Location Discovery T1614
DET0175 Detection Strategy for T1542.004 Pre-OS Boot: ROMMONkit T1542.004
DET0204 Detection Strategy for T1547.010 – Port Monitor DLL Persistence via spoolsv.exe (Windows) T1547.010
DET0121 Detection Strategy for T1547.015 – Login Items on macOS T1547.015
DET0467 Detection Strategy for TLS Callback Injection via PE Memory Modification and Hollowing T1055.005
DET0448 Detection Strategy for VDSO Hijacking on Linux T1055.014
DET0254 Detection Strategy of Transmitted Data Manipulation T1565.002
DET0395 macOS AuthorizationExecuteWithPrivileges Elevation Prompt Detection T1548.004