Execution through API

Adversary tools may directly use the Windows application programming interface (API) to execute binaries. Functions such as the Windows API CreateProcess will allow programs and scripts to start other processes with proper path and argument parameters. [1]

Additional Windows API calls that can be used to execute binaries include: [2]

  • CreateProcessA() and CreateProcessW(),
  • CreateProcessAsUserA() and CreateProcessAsUserW(),
  • CreateProcessInternalA() and CreateProcessInternalW(),
  • CreateProcessWithLogonW(), CreateProcessWithTokenW(),
  • LoadLibraryA() and LoadLibraryW(),
  • LoadLibraryExA() and LoadLibraryExW(),
  • LoadModule(),
  • LoadPackagedLibrary(),
  • WinExec(),
  • ShellExecuteA() and ShellExecuteW(),
  • ShellExecuteExA() and ShellExecuteExW()
ID: T1106

Tactic: Execution

Platform:  Windows

Permissions Required:  User, Administrator, SYSTEM

Data Sources:  API monitoring, Process monitoring

Supports Remote:  No

Contributors:  Stefan Kanthak

Version: 1.0



ADVSTORESHELL is capable of starting a process using CreateProcess.[3]


APT37 leverages the Windows API calls: VirtualAlloc(), WriteProcessMemory(), and CreateRemoteThread() for process injection.[4]


BADNEWS has a command to download an .exe and execute it via CreateProcess API. It can also run with ShellExecute.[5][6]


Bankshot creates processes using the Windows API calls: CreateProcessA() and CreateProcessAsUserA().[7]

Cobalt Strike

Cobalt Strike's "beacon" payload is capable of running shell commands without cmd.exe and PowerShell commands without powershell.exe[8]


Empire contains a variety of enumeration modules that have an option to use API calls to carry out tasks.[9]

Gorgon Group

Gorgon Group malware can leverage the Windows API call, CreateProcessA(), for execution.[10]


InnaputRAT uses the API call ShellExecuteW for execution.[11]


Mosquito leverages the CreateProcess() and LoadLibrary() calls to execute files with the .dll and .exe extensions.[12]


PlugX can use the Windows API function CreateProcess to execute another process.[13]


SynAck parses the export tables of system DLLs to locate and call various Windows API functions.[14][15]


TrickBot uses the Windows API call, CreateProcessW(), to manage execution flow.[16]


Volgmer executes payloads using the Windows API call CreateProcessW().[17]


XAgentOSX contains the execFile function to execute a specified file on the system using the NSTask:launch method.[18]


Mitigating specific API calls will likely have unintended side effects, such as preventing legitimate software from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior. Audit and/or block potentially malicious software by using whitelisting [19] tools, like AppLocker, [20] [21] or Software Restriction Policies [22] where appropriate. [23]


Monitoring API calls may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances, since benign use of Windows API functions such as CreateProcess are common and difficult to distinguish from malicious behavior. Correlation of other events with behavior surrounding API function calls using API monitoring will provide additional context to an event that may assist in determining if it is due to malicious behavior. Correlation of activity by process lineage by process ID may be sufficient.