Native API

Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.[1][2] These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.

Functionality provided by native APIs are often also exposed to user-mode applications via interfaces and libraries. For example, functions such as the Windows API CreateProcess() or GNU fork() will allow programs and scripts to start other processes.[3][4] This may allow API callers to execute a binary, run a CLI command, load modules, etc. as thousands of similar API functions exist for various system operations.[5][6][7]

Higher level software frameworks, such as Microsoft .NET and macOS Cocoa, are also available to interact with native APIs. These frameworks typically provide language wrappers/abstractions to API functionalities and are designed for ease-of-use/portability of code.[8][9][10][11]

Adversaries may abuse these native API functions as a means of executing behaviors. Similar to Command and Scripting Interpreter, the native API and its hierarchy of interfaces, provide mechanisms to interact with and utilize various components of a victimized system.

ID: T1106
Sub-techniques:  No sub-techniques
Tactic: Execution
Platforms: Linux, Windows, macOS
Permissions Required: User
Data Sources: API monitoring, Loaded DLLs, Process monitoring, System calls
Contributors: Stefan Kanthak
Version: 2.0
Created: 31 May 2017
Last Modified: 01 July 2020

Procedure Examples

Name Description
ADVSTORESHELL

ADVSTORESHELL is capable of starting a process using CreateProcess.[22]

APT37

APT37 leverages the Windows API calls: VirtualAlloc(), WriteProcessMemory(), and CreateRemoteThread() for process injection.[55]

Aria-body

Aria-body has the ability to launch files using ShellExecute.[45]

Attor

Attor's dispatcher has used CreateProcessW API for execution.[40]

BackConfig

BackConfig can leverage API functions such as ShellExecuteA and HttpOpenRequestA in the process of downloading and executing files.[53]

BADNEWS

BADNEWS has a command to download an .exe and execute it via CreateProcess API. It can also run with ShellExecute.[24][25]

Bankshot

Bankshot creates processes using the Windows API calls: CreateProcessA() and CreateProcessAsUserA().[27]

BBK

BBK has the ability to use the CreatePipe API to add a sub-process for execution via cmd.[48]

build_downer

build_downer has the ability to use the WinExec API to execute malware on a compromised host.[48]

Cobalt Strike

Cobalt Strike's "beacon" payload is capable of running shell commands without cmd.exe and PowerShell commands without powershell.exe[18]

ComRAT

ComRAT can load a PE file from memory or the file system and execute it with CreateProcessW.[54]

Denis

Denis used the IsDebuggerPresent, OutputDebugString, and SetLastError APIs to avoid debugging. Denis used GetProcAddress and LoadLibrary to dynamically resolve APIs. Denis also used the Wow64SetThreadContext API as part of a process hollowing process.[50]

Empire

Empire contains a variety of enumeration modules that have an option to use API calls to carry out tasks.[19]

Gamaredon Group

Gamaredon Group malware has used CreateProcess to launch additional malicious components.[61]

Goopy

Goopy has the ability to enumerate the infected system's user name via GetUserNameW.[50]

Gorgon Group

Gorgon Group malware can leverage the Windows API call, CreateProcessA(), for execution.[56]

HAWKBALL

HAWKBALL has leveraged several Windows API calls to create processes, gather disk information, and detect debugger activity.[35]

HotCroissant

HotCroissant can perform dynamic DLL importing and API lookups using LoadLibrary and GetProcAddress on obfuscated strings.[39]

HyperBro

HyperBro has the ability to run an application (CreateProcessW) or script/file (ShellExecuteW) via API.[37]

Imminent Monitor

Imminent Monitor has leveraged CreateProcessW() call to execute the debugger.[20]

InnaputRAT

InnaputRAT uses the API call ShellExecuteW for execution.[29]

LightNeuron

LightNeuron is capable of starting a process using CreateProcess.[36]

MAZE

MAZE has used several Windows API functions throughout the encryption process including IsDebuggerPresent, TerminateProcess, Process32FirstW, among others.[43]

Metamorfo

Metamorfo has used native WINAPI calls.[51]

Mosquito

Mosquito leverages the CreateProcess() and LoadLibrary() calls to execute files with the .dll and .exe extensions.[30]

Netwalker

Netwalker can use Windows API functions to inject the ransomware DLL.[46]

PlugX

PlugX can use the Windows API function CreateProcess to execute another process.[23]

Pony

Pony has used several Windows functions for various purposes.[44]

Ramsay

Ramsay can use the Windows COM API to schedule tasks and maintain persistence as well as the WriteFile, CloseHandle, and GetCurrentHwProfile functions during collection.[47]

RDFSNIFFER

RDFSNIFFER has used several Win32 API functions to interact with the victim machine.[38]

Rising Sun

Rising Sun used dynamic API resolutions to various Windows APIs by leveraging LoadLibrary() and GetProcAddress().[42]

RTM

RTM can use the FindNextUrlCacheEntryA and FindFirstUrlCacheEntryA functions to search for specific strings within browser history.[49]

Ryuk

Ryuk has used multiple native APIs including ShellExecuteW to run executables,GetWindowsDirectoryW to create folders, and VirtualAlloc, WriteProcessMemory, and CreateRemoteThread for process injection.[41]

Sharpshooter

Sharpshooter's first-stage downloader resolved various Windows libraries and APIs, including LoadLibraryA(), GetProcAddress(), and CreateProcessA().[42]

ShimRat

ShimRat has used Windows API functions to install the service and shim.[21]

ShimRatReporter

ShimRatReporter used several Windows API functions to gather information from the infected system.[21]

Silence

Silence has leveraged the Windows API, including using CreateProcess() or ShellExecute(), to perform a variety of tasks.[57][58]

SynAck

SynAck parses the export tables of system DLLs to locate and call various Windows API functions.[32][33]

TrickBot

TrickBot uses the Windows API call, CreateProcessW(), to manage execution flow.[28]

Tropic Trooper

Tropic Trooper has used multiple Windows APIs including HttpInitialize, HttpCreateHttpHandle, and HttpAddUrl.[60]

Turla

Turla and its RPC backdoors have used APIs calls for various tasks related to subverting AMSI and accessing then executing commands through RPC and/or named pipes.[59]

Ursnif

Ursnif has used CreateProcessW to create child processes.[34]

Volgmer

Volgmer executes payloads using the Windows API call CreateProcessW().[26]

WindTail

WindTail can invoke Apple APIs contentsOfDirectoryAtPath, pathExtension, and (string) compare.[52]

XAgentOSX

XAgentOSX contains the execFile function to execute a specified file on the system using the NSTask:launch method.[31]

Mitigations

Mitigation Description
Execution Prevention

Identify and block potentially malicious software executed that may be executed through this technique by using application control [12] tools, like Windows Defender Application Control[13], AppLocker, [14] [15] or Software Restriction Policies [16] where appropriate. [17]

Detection

Monitoring API calls may generate a significant amount of data and may not be useful for defense unless collected under specific circumstances, since benign use of API functions are common and difficult to distinguish from malicious behavior. Correlation of other events with behavior surrounding API function calls using API monitoring will provide additional context to an event that may assist in determining if it is due to malicious behavior. Correlation of activity by process lineage by process ID may be sufficient.

Utilization of the Windows API may involve processes loading/accessing system DLLs associated with providing called functions (ex: kernel32.dll, advapi32.dll, user32.dll, and gdi32.dll). Monitoring for DLL loads, especially to abnormal/unusual or potentially malicious processes, may indicate abuse of the Windows API. Though noisy, this data can be combined with other indicators to identify adversary activity.

References

  1. The NTinterlnals.net team. (n.d.). Nowak, T. Retrieved June 25, 2020.
  2. Linux Kernel Organization, Inc. (n.d.). The Linux Kernel API. Retrieved June 25, 2020.
  3. Microsoft. (n.d.). CreateProcess function. Retrieved December 5, 2014.
  4. Free Software Foundation, Inc.. (2020, June 18). Creating a Process. Retrieved June 25, 2020.
  5. Microsoft. (n.d.). Programming reference for the Win32 API. Retrieved March 15, 2020.
  6. Kerrisk, M. (2016, December 12). libc(7) — Linux manual page. Retrieved June 25, 2020.
  7. glibc developer community. (2020, February 1). The GNU C Library (glibc). Retrieved June 25, 2020.
  8. Microsoft. (n.d.). What is .NET Framework?. Retrieved March 15, 2020.
  9. Apple. (n.d.). Core Services. Retrieved June 25, 2020.
  10. Apple. (2015, September 16). Cocoa Application Layer. Retrieved June 25, 2020.
  11. Apple. (n.d.). Foundation. Retrieved July 1, 2020.
  12. Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.
  13. Gorzelany, A., Hall, J., Poggemeyer, L.. (2019, January 7). Windows Defender Application Control. Retrieved July 16, 2019.
  14. Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.
  15. NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.
  16. Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.
  17. Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.
  18. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
  19. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  20. QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020.
  21. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
  22. Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
  23. Vasilenko, R. (2013, December 17). An Analysis of PlugX Malware. Retrieved November 24, 2015.
  24. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
  25. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  26. US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018.
  27. Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018.
  28. Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018.
  29. ASERT Team. (2018, April 04). Innaput Actors Utilize Remote Access Trojan Since 2016, Presumably Targeting Victim Files. Retrieved July 9, 2018.
  30. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.
  31. Robert Falcone. (2017, February 14). XAgentOSX: Sofacy's Xagent macOS Tool. Retrieved July 12, 2017.
  1. Ivanov, A. et al.. (2018, May 7). SynAck targeted ransomware uses the Doppelgänging technique. Retrieved May 22, 2018.
  2. Bettencourt, J. (2018, May 7). Kaspersky Lab finds new variant of SynAck ransomware using sophisticated Doppelgänging technique. Retrieved May 24, 2018.
  3. Vaish, A. & Nemes, S. (2017, November 28). Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection. Retrieved June 5, 2019.
  4. Patil, S. and Williams, M.. (2019, June 5). Government Sector in Central Asia Targeted With New HAWKBALL Backdoor Delivered via Microsoft Office Vulnerabilities. Retrieved June 20, 2019.
  5. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.
  6. Falcone, R. and Lancaster, T.. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019.
  7. Carr, N, et all. (2019, October 10). Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques. Retrieved October 11, 2019.
  8. US-CERT. (2020, February 20). MAR-10271944-1.v1 – North Korean Trojan: HOTCROISSANT. Retrieved May 1, 2020.
  9. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
  10. Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.
  11. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020.
  12. Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020.
  13. hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020.
  14. CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020.
  15. Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020.
  16. Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020.
  17. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.
  18. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  19. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  20. Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020.
  21. Wardle, Patrick. (2019, January 15). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 2). Retrieved October 3, 2019.
  22. Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020.
  23. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
  24. Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.
  25. Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.
  26. GReAT. (2017, November 1). Silence – a new Trojan attacking financial organizations. Retrieved May 24, 2019.
  27. Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020.
  28. Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019.
  29. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.
  30. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.