Execution through API

Adversaries may attempt to leverage Application Program Interfaces (APIs) used for communication between control software and the hardware. Specific functionality is often coded into APIs which can be called by software to engage specific functions on a device or other software.

ID: T0871
Sub-techniques:  No sub-techniques
Tactic: Execution
Platforms: None
Version: 1.1
Created: 21 May 2020
Last Modified: 13 October 2023

Procedure Examples

ID Name Description
S1009 Triton

Triton leverages a reconstructed TriStation protocol within its framework to trigger APIs related to program download, program allocation, and program changes. [1]

Targeted Assets

ID Asset
A0009 Data Gateway
A0013 Field I/O
A0002 Human-Machine Interface (HMI)
A0005 Intelligent Electronic Device (IED)
A0003 Programmable Logic Controller (PLC)
A0004 Remote Terminal Unit (RTU)
A0010 Safety Controller
A0001 Workstation


ID Mitigation Description
M0801 Access Management

Access Management technologies can be used to enforce authorization policies and decisions, especially when existing field devices do not provide capabilities to support user identification and authentication. [2] These technologies typically utilize an in-line network device or gateway system to prevent access to unauthenticated users, while also integrating with an authentication service to first verify user credentials.

M0800 Authorization Enforcement

All APIs used to perform execution, especially those hosted on embedded controllers (e.g., PLCs), should provide adequate authorization enforcement of user access. Minimize user's access to only required API calls. [3]

M0938 Execution Prevention

Minimize the exposure of API calls that allow the execution of code.

M0804 Human User Authentication

All APIs on remote systems or local processes should require the authentication of users before executing any code or system changes.


ID Data Source Data Component Detects
DS0009 Process OS API Execution

Devices that provide user access to the underlying operating system may allow the installation of custom software to monitor OS API execution. Monitoring API calls may generate a significant amount of data and may not be useful for defense unless collected under specific circumstances, since benign use of API functions are common and may be difficult to distinguish from malicious behavior. Correlation of other events with behavior surrounding API function calls using API monitoring will provide additional context to an event that may assist in determining if it is due to malicious behavior.