Register to stream ATT&CKcon 2.0 October 29-30

Execution through API

Adversary tools may directly use the Windows application programming interface (API) to execute binaries. Functions such as the Windows API CreateProcess will allow programs and scripts to start other processes with proper path and argument parameters. [1]

Additional Windows API calls that can be used to execute binaries include: [2]

  • CreateProcessA() and CreateProcessW(),
  • CreateProcessAsUserA() and CreateProcessAsUserW(),
  • CreateProcessInternalA() and CreateProcessInternalW(),
  • CreateProcessWithLogonW(), CreateProcessWithTokenW(),
  • LoadLibraryA() and LoadLibraryW(),
  • LoadLibraryExA() and LoadLibraryExW(),
  • LoadModule(),
  • LoadPackagedLibrary(),
  • WinExec(),
  • ShellExecuteA() and ShellExecuteW(),
  • ShellExecuteExA() and ShellExecuteExW()
ID: T1106
Tactic: Execution
Platform: Windows
Permissions Required: User, Administrator, SYSTEM
Data Sources: API monitoring, Process monitoring
Contributors: Stefan Kanthak
Version: 1.0

Mitigations

Mitigation Description
Execution Prevention Identify and block potentially malicious software executed that may be executed through this technique by using application whitelisting tools, like Windows Defender Application Control, AppLocker, or Software Restriction Policies where appropriate. [3] [4] [5] [6] [7] [8]

Examples

Name Description
ADVSTORESHELL ADVSTORESHELL is capable of starting a process using CreateProcess. [11]
APT37 APT37 leverages the Windows API calls: VirtualAlloc(), WriteProcessMemory(), and CreateRemoteThread() for process injection. [27]
BADNEWS BADNEWS has a command to download an .exe and execute it via CreateProcess API. It can also run with ShellExecute. [13] [14]
Bankshot Bankshot creates processes using the Windows API calls: CreateProcessA() and CreateProcessAsUserA(). [16]
Cobalt Strike Cobalt Strike's "beacon" payload is capable of running shell commands without cmd.exe and PowerShell commands without powershell.exe [9]
Empire Empire contains a variety of enumeration modules that have an option to use API calls to carry out tasks. [10]
Gorgon Group Gorgon Group malware can leverage the Windows API call, CreateProcessA(), for execution. [28]
HAWKBALL HAWKBALL has leveraged several Windows API calls to create processes, gather disk information, and detect debugger activity. [24]
HyperBro HyperBro has the ability to run an application (CreateProcessW) or script/file (ShellExecuteW) via API. [26]
InnaputRAT InnaputRAT uses the API call ShellExecuteW for execution. [18]
LightNeuron LightNeuron is capable of starting a process using CreateProcess. [25]
Mosquito Mosquito leverages the CreateProcess() and LoadLibrary() calls to execute files with the .dll and .exe extensions. [19]
PlugX PlugX can use the Windows API function CreateProcess to execute another process. [12]
Silence Silence leverages the Windows API to perform a variety of tasks. [29]
SynAck SynAck parses the export tables of system DLLs to locate and call various Windows API functions. [21] [22]
TrickBot TrickBot uses the Windows API call, CreateProcessW(), to manage execution flow. [17]
Turla Turla and its RPC backdoors have used APIs calls for various tasks related to subverting AMSI and accessing then executing commands through RPC and/or named pipes. [30]
Ursnif Ursnif has used CreateProcessW to create child processes. [23]
Volgmer Volgmer executes payloads using the Windows API call CreateProcessW(). [15]
XAgentOSX XAgentOSX contains the execFile function to execute a specified file on the system using the NSTask:launch method. [20]

Detection

Monitoring API calls may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances, since benign use of Windows API functions such as CreateProcess are common and difficult to distinguish from malicious behavior. Correlation of other events with behavior surrounding API function calls using API monitoring will provide additional context to an event that may assist in determining if it is due to malicious behavior. Correlation of activity by process lineage by process ID may be sufficient.

References

  1. Microsoft. (n.d.). CreateProcess function. Retrieved December 5, 2014.
  2. Kanthak, S. (2017). Application Verifier Provider. Retrieved February 13, 2017.
  3. Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.
  4. Gorzelany, A., Hall, J., Poggemeyer, L.. (2019, January 7). Windows Defender Application Control. Retrieved July 16, 2019.
  5. Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.
  6. NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.
  7. Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.
  8. Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.
  9. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
  10. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  11. Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
  12. Vasilenko, R. (2013, December 17). An Analysis of PlugX Malware. Retrieved November 24, 2015.
  13. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
  14. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  15. US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018.
  1. Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018.
  2. Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018.
  3. ASERT Team. (2018, April 04). Innaput Actors Utilize Remote Access Trojan Since 2016, Presumably Targeting Victim Files. Retrieved July 9, 2018.
  4. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.
  5. Robert Falcone. (2017, February 14). XAgentOSX: Sofacy's Xagent macOS Tool. Retrieved July 12, 2017.
  6. Ivanov, A. et al.. (2018, May 7). SynAck targeted ransomware uses the Doppelgänging technique. Retrieved May 22, 2018.
  7. Bettencourt, J. (2018, May 7). Kaspersky Lab finds new variant of SynAck ransomware using sophisticated Doppelgänging technique. Retrieved May 24, 2018.
  8. Vaish, A. & Nemes, S. (2017, November 28). Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection. Retrieved June 5, 2019.
  9. Patil, S. and Williams, M.. (2019, June 5). Government Sector in Central Asia Targeted With New HAWKBALL Backdoor Delivered via Microsoft Office Vulnerabilities. Retrieved June 20, 2019.
  10. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.
  11. Falcone, R. and Lancaster, T.. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019.
  12. Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.
  13. Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.
  14. GReAT. (2017, November 1). Silence – a new Trojan attacking financial organizations. Retrieved May 24, 2019.
  15. Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019.