Description
Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Adversaries may abuse these OS API functions as a means of executing behaviors. Similar to Command and Scripting Interpreter, the native API and its hierarchy of interfaces provide mechanisms to interact with and utilize various components of a victimized system.
Native API functions (such as NtCreateProcess) may be directed invoked via system calls / syscalls, but these features are also often exposed to user-mode applications via interfaces and libraries.(Citation: OutFlank System Calls)(Citation: CyberBit System Calls)(Citation: MDSec System Calls) For example, functions such as the Windows API CreateProcess() or GNU fork() will allow programs and scripts to start other processes.(Citation: Microsoft CreateProcess)(Citation: GNU Fork) This may allow API callers to execute a binary, run a CLI command, load modules, etc. as thousands of similar API functions exist for various system operations.(Citation: Microsoft Win32)(Citation: LIBC)(Citation: GLIBC)
Higher level software frameworks, such as Microsoft .NET and macOS Cocoa, are also available to interact with native APIs. These frameworks typically provide language wrappers/abstractions to API functionalities and are designed for ease-of-use/portability of code.(Citation: Microsoft NET)(Citation: Apple Core Services)(Citation: MACOS Cocoa)(Citation: macOS Foundation)
Adversaries may use assembly to directly or in-directly invoke syscalls in an attempt to subvert defensive sensors and detection signatures such as user mode API-hooks.(Citation: Redops Syscalls) Adversaries may also attempt to tamper with sensors and defensive tools associated with API monitoring, such as unhooking monitored functions via Disable or Modify Tools.
Platforms
Mitigations (2)
Execution PreventionM1038
Identify and block potentially malicious software executed that may be executed through this technique by using application control (Citation: Beechey 2010) tools, like Windows Defender Application Control(Citation: Microsoft Windows Defender Application Control), AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) whe
Behavior Prevention on EndpointM1040
On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office VBA macros from calling Win32 APIs. (Citation: win10_asr)
Threat Groups (20)
| ID | Group | Context |
|---|---|---|
| G1051 | Medusa Group | [Medusa Group](https://attack.mitre.org/groups/G1051) has leveraged Windows Native API functions to execute payloads.(Citation: Security Scorecard Med... |
| G0126 | Higaisa | [Higaisa](https://attack.mitre.org/groups/G0126) has called various native OS APIs.(Citation: Zscaler Higaisa 2020) |
| G0032 | Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) has used the Windows API <code>ObtainUserAgentString</code> to obtain the User-Agent from a com... |
| G0078 | Gorgon Group | [Gorgon Group](https://attack.mitre.org/groups/G0078) malware can leverage the Windows API call, CreateProcessA(), for execution.(Citation: Unit 42 Go... |
| G0010 | Turla | [Turla](https://attack.mitre.org/groups/G0010) and its RPC backdoors have used APIs calls for various tasks related to subverting AMSI and accessing t... |
| G0114 | Chimera | [Chimera](https://attack.mitre.org/groups/G0114) has used direct Windows system calls by leveraging Dumpert.(Citation: Cycraft Chimera April 2020) |
| G0098 | BlackTech | [BlackTech](https://attack.mitre.org/groups/G0098) has used built-in API functions.(Citation: IronNet BlackTech Oct 2021) |
| G0034 | Sandworm Team | [Sandworm Team](https://attack.mitre.org/groups/G0034) uses [Prestige](https://attack.mitre.org/software/S1058) to disable and restore file system red... |
| G1008 | SideCopy | [SideCopy](https://attack.mitre.org/groups/G1008) has executed malware by calling the API function `CreateProcessW`.(Citation: MalwareBytes SideCopy ... |
| G0081 | Tropic Trooper | [Tropic Trooper](https://attack.mitre.org/groups/G0081) has used multiple Windows APIs including HttpInitialize, HttpCreateHttpHandle, and HttpAddUrl.... |
| G1022 | ToddyCat | [ToddyCat](https://attack.mitre.org/groups/G1022) has used `WinExec` to execute commands received from C2 on compromised hosts.(Citation: Kaspersky To... |
| G0045 | menuPass | [menuPass](https://attack.mitre.org/groups/G0045) has used native APIs including <code>GetModuleFileName</code>, <code>lstrcat</code>, <code>CreateFil... |
| G0067 | APT37 | [APT37](https://attack.mitre.org/groups/G0067) leverages the Windows API calls: VirtualAlloc(), WriteProcessMemory(), and CreateRemoteThread() for pro... |
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has utilized Native APIs to collect data from victim hosts and facilitate execution of malicious scri... |
| G0047 | Gamaredon Group | [Gamaredon Group](https://attack.mitre.org/groups/G0047) malware has used <code>CreateProcess</code> to launch additional malicious components.(Citati... |
| G0129 | Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) has used various Windows API calls during execution and defense evasion.(Citation: Eset PlugX K... |
| G0090 | WIRTE | [WIRTE](https://attack.mitre.org/groups/G0090) has used the `RtlIpv4StringToAddressA` to convert IP-formatted string to a byte array.(Citation: Check ... |
| G0082 | APT38 | [APT38](https://attack.mitre.org/groups/G0082) has used the Windows API to execute code within a victim's system.(Citation: CISA AA20-239A BeagleBoyz ... |
| G0092 | TA505 | [TA505](https://attack.mitre.org/groups/G0092) has deployed payloads that use Windows API calls on a compromised host.(Citation: Korean FSI TA505 2020... |
| G0091 | Silence | [Silence](https://attack.mitre.org/groups/G0091) has leveraged the Windows API, including using CreateProcess() or ShellExecute(), to perform a variet... |
Associated Software (203)
| ID | Name | Type | Context |
|---|---|---|---|
| S0396 | EvilBunny | Malware | [EvilBunny](https://attack.mitre.org/software/S0396) has used various API calls as part of its checks to see if the malware is running in a sandbox.(C... |
| S1179 | Exbyte | Malware | [Exbyte](https://attack.mitre.org/software/S1179) calls `ShellExecuteW` with the `IpOperation` parameter `RunAs` to launch `explorer.exe` with elevate... |
| S0141 | Winnti for Windows | Malware | [Winnti for Windows](https://attack.mitre.org/software/S0141) can use Native API to create a new process and to start services.(Citation: Novetta Winn... |
| S0453 | Pony | Malware | [Pony](https://attack.mitre.org/software/S0453) has used several Windows functions for various purposes.(Citation: Malwarebytes Pony April 2016) |
| S0687 | Cyclops Blink | Malware | [Cyclops Blink](https://attack.mitre.org/software/S0687) can use various Linux API functions including those for execution and discovery.(Citation: NC... |
| S0268 | Bisonal | Malware | [Bisonal](https://attack.mitre.org/software/S0268) has used the Windows API to communicate with the Service Control Manager to execute a thread.(Citat... |
| S0084 | Mis-Type | Malware | [Mis-Type](https://attack.mitre.org/software/S0084) has used Windows API calls, including `NetUserAdd` and `NetUserDel`.(Citation: Cylance Dust Storm) |
| S0678 | Torisma | Malware | [Torisma](https://attack.mitre.org/software/S0678) has used various Windows API calls.(Citation: McAfee Lazarus Nov 2020) |
| S0627 | SodaMaster | Malware | [SodaMaster](https://attack.mitre.org/software/S0627) can use <code>RegOpenKeyW</code> to access the Registry.(Citation: Securelist APT10 March 2021) |
| S0629 | RainyDay | Malware | The file collection tool used by [RainyDay](https://attack.mitre.org/software/S0629) can utilize native API including <code>ReadDirectoryChangeW</code... |
| S0154 | Cobalt Strike | Malware | [Cobalt Strike](https://attack.mitre.org/software/S0154)'s Beacon payload is capable of running shell commands without <code>cmd.exe</code> and PowerS... |
| S1013 | ZxxZ | Malware | [ZxxZ](https://attack.mitre.org/software/S1013) has used API functions such as `Process32First`, `Process32Next`, and `ShellExecuteA`.(Citation: Cisco... |
| S0610 | SideTwist | Malware | [SideTwist](https://attack.mitre.org/software/S0610) can use <code>GetUserNameW</code>, <code>GetComputerNameW</code>, and <code>GetComputerNameExW</c... |
| S1087 | AsyncRAT | Tool | [AsyncRAT](https://attack.mitre.org/software/S1087) has the ability to use OS APIs including `CheckRemoteDebuggerPresent`.(Citation: Telefonica Snip3 ... |
| S0434 | Imminent Monitor | Tool | [Imminent Monitor](https://attack.mitre.org/software/S0434) has leveraged CreateProcessW() call to execute the debugger.(Citation: QiAnXin APT-C-36 Fe... |
| S0638 | Babuk | Malware | [Babuk](https://attack.mitre.org/software/S0638) can use multiple Windows API calls for actions on compromised hosts including discovery and execution... |
| S0625 | Cuba | Malware | [Cuba](https://attack.mitre.org/software/S0625) has used several built-in API functions for discovery like GetIpNetTable and NetShareEnum.(Citation: M... |
| S0022 | Uroburos | Malware | [Uroburos](https://attack.mitre.org/software/S0022) can use native Windows APIs including `GetHostByName`.(Citation: Joint Cybersecurity Advisory AA23... |
| S0650 | QakBot | Malware | [QakBot](https://attack.mitre.org/software/S0650) can use <code>GetProcAddress</code> to help delete malicious strings from memory.(Citation: ATT QakB... |
| S0611 | Clop | Malware | [Clop](https://attack.mitre.org/software/S0611) has used built-in API functions such as WNetOpenEnumW(), WNetEnumResourceW(), WNetCloseEnum(), GetProc... |
References
- Apple. (2015, September 16). Cocoa Application Layer. Retrieved June 25, 2020.
- Apple. (n.d.). Core Services. Retrieved June 25, 2020.
- Apple. (n.d.). Foundation. Retrieved July 1, 2020.
- de Plaa, C. (2019, June 19). Red Team Tactics: Combining Direct System Calls and sRDI to bypass AV/EDR. Retrieved September 29, 2021.
- Feichter, D. (2023, June 30). Direct Syscalls vs Indirect Syscalls. Retrieved September 27, 2023.
- Free Software Foundation, Inc.. (2020, June 18). Creating a Process. Retrieved June 25, 2020.
- Gavriel, H. (2018, November 27). Malware Mitigation when Direct System Calls are Used. Retrieved September 29, 2021.
- glibc developer community. (2020, February 1). The GNU C Library (glibc). Retrieved June 25, 2020.
- Kerrisk, M. (2016, December 12). libc(7) — Linux manual page. Retrieved June 25, 2020.
- Linux Kernel Organization, Inc. (n.d.). The Linux Kernel API. Retrieved June 25, 2020.
Frequently Asked Questions
What is T1106 (Native API)?
T1106 is a MITRE ATT&CK technique named 'Native API'. It belongs to the Execution tactic(s). Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, suc...
How can T1106 be detected?
Detection of T1106 (Native API) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1106?
There are 2 documented mitigations for T1106. Key mitigations include: Execution Prevention, Behavior Prevention on Endpoint.
Which threat groups use T1106?
Known threat groups using T1106 include: Medusa Group, Higaisa, Lazarus Group, Gorgon Group, Turla, Chimera, BlackTech, Sandworm Team.