Thanks to all of our ATT&CKcon participants. All sessions are here, and individual presentations will be posted soon.

Execution through API

Adversary tools may directly use the Windows application programming interface (API) to execute binaries. Functions such as the Windows API CreateProcess will allow programs and scripts to start other processes with proper path and argument parameters. [1]

Additional Windows API calls that can be used to execute binaries include: [2]

  • CreateProcessA() and CreateProcessW(),
  • CreateProcessAsUserA() and CreateProcessAsUserW(),
  • CreateProcessInternalA() and CreateProcessInternalW(),
  • CreateProcessWithLogonW(), CreateProcessWithTokenW(),
  • LoadLibraryA() and LoadLibraryW(),
  • LoadLibraryExA() and LoadLibraryExW(),
  • LoadModule(),
  • LoadPackagedLibrary(),
  • WinExec(),
  • ShellExecuteA() and ShellExecuteW(),
  • ShellExecuteExA() and ShellExecuteExW()
ID: T1106

Tactic: Execution

Platform:  Windows

Permissions Required:  User, Administrator, SYSTEM

Data Sources:  API monitoring, Process monitoring

Supports Remote:  No

Contributors:  Stefan Kanthak

Version: 1.0

Examples

NameDescription
ADVSTORESHELL

ADVSTORESHELL is capable of starting a process using CreateProcess.[3]

APT37

APT37 leverages the Windows API calls: VirtualAlloc(), WriteProcessMemory(), and CreateRemoteThread() for process injection.[4]

BADNEWS

BADNEWS has a command to download an .exe and execute it via CreateProcess API. It can also run with ShellExecute.[5][6]

Bankshot

Bankshot creates processes using the Windows API calls: CreateProcessA() and CreateProcessAsUserA().[7]

Cobalt Strike

Cobalt Strike's "beacon" payload is capable of running shell commands without cmd.exe and PowerShell commands without powershell.exe[8]

Gorgon Group

Gorgon Group malware can leverage the Windows API call, CreateProcessA(), for execution.[9]

InnaputRAT

InnaputRAT uses the API call ShellExecuteW for execution.[10]

Mosquito

Mosquito leverages the CreateProcess() and LoadLibrary() calls to execute files with the .dll and .exe extensions.[11]

PlugX

PlugX can use the Windows API function CreateProcess to execute another process.[12]

SynAck

SynAck parses the export tables of system DLLs to locate and call various Windows API functions.[13][14]

TrickBot

TrickBot uses the Windows API call, CreateProcessW(), to manage execution flow.[15]

Volgmer

Volgmer executes payloads using the Windows API call CreateProcessW().[16]

XAgentOSX

XAgentOSX contains the execFile function to execute a specified file on the system using the NSTask:launch method.[17]

Mitigation

Mitigating specific API calls will likely have unintended side effects, such as preventing legitimate software from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior. Audit and/or block potentially malicious software by using whitelisting [18] tools, like AppLocker, [19] [20] or Software Restriction Policies [21] where appropriate. [22]

Detection

Monitoring API calls may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances, since benign use of Windows API functions such as CreateProcess are common and difficult to distinguish from malicious behavior. Correlation of other events with behavior surrounding API function calls using API monitoring will provide additional context to an event that may assist in determining if it is due to malicious behavior. Correlation of activity by process lineage by process ID may be sufficient.

References