# T1106 Native API

-----------------------------------------------------------------------

## Technique Description

Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.

Native API functions (such as <code>NtCreateProcess</code>) may be directed invoked via system calls / syscalls, but these features are also often exposed to user-mode applications via interfaces and libraries.(Citation: OutFlank System Calls)(Citation: CyberBit System Calls)(Citation: MDSec System Calls) For example, functions such as the Windows API <code>CreateProcess()</code> or GNU <code>fork()</code> will allow programs and scripts to start other processes.(Citation: Microsoft CreateProcess)(Citation: GNU Fork) This may allow API callers to execute a binary, run a CLI command, load modules, etc. as thousands of similar API functions exist for various system operations.(Citation: Microsoft Win32)(Citation: LIBC)(Citation: GLIBC)

Higher level software frameworks, such as Microsoft .NET and macOS Cocoa, are also available to interact with native APIs. These frameworks typically provide language wrappers/abstractions to API functionalities and are designed for ease-of-use/portability of code.(Citation: Microsoft NET)(Citation: Apple Core Services)(Citation: MACOS Cocoa)(Citation: macOS Foundation)

Adversaries may abuse these OS API functions as a means of executing behaviors. Similar to [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), the native API and its hierarchy of interfaces provide mechanisms to interact with and utilize various components of a victimized system. While invoking API functions, adversaries may also attempt to bypass defensive tools (ex: unhooking monitored functions via [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001)).

## Technique Detection

Monitoring API calls may generate a significant amount of data and may not be useful for defense unless collected under specific circumstances, since benign use of API functions are common and may be difficult to distinguish from malicious behavior. Correlation of other events with behavior surrounding API function calls using API monitoring will provide additional context to an event that may assist in determining if it is due to malicious behavior. Correlation of activity by process lineage by process ID may be sufficient. 

Utilization of the Windows APIs may involve processes loading/accessing system DLLs associated with providing called functions (ex: ntdll.dll, kernel32.dll, advapi32.dll, user32.dll, and gdi32.dll). Monitoring for DLL loads, especially to abnormal/unusual or potentially malicious processes, may indicate abuse of the Windows API. Though noisy, this data can be combined with other indicators to identify adversary activity. 

-----------------------------------------------------------------------

### Tactics:

  *   Execution

### Platforms:

  * Windows

  * macOS

  * Linux

### Data Sources:

  * **Process:** OS API Execution

  * **Module:** Module Load

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| Higaisa | [Higaisa](https://attack.mitre.org/groups/G0126) has called various native OS APIs.(Citation: Zscaler Higaisa 2020)| 
| Operation Wocao | [Operation Wocao](https://attack.mitre.org/groups/G0116) has used the CreateProcessA and ShellExecute API function to launch commands after being injected into a selected process.(Citation: FoxIT Wocao December 2019)| 
| Chimera | [Chimera](https://attack.mitre.org/groups/G0114) has used direct Windows system calls by leveraging Dumpert.(Citation: Cycraft Chimera April 2020)| 
| Sharpshooter | [Sharpshooter](https://attack.mitre.org/groups/G0104)'s first-stage downloader resolved various Windows libraries and APIs, including LoadLibraryA(), GetProcAddress(), and CreateProcessA().(Citation: McAfee Sharpshooter December 2018)	| 
| BlackTech | [BlackTech](https://attack.mitre.org/groups/G0098) has used built-in API functions.(Citation: IronNet BlackTech Oct 2021)| 
| Silence | [Silence](https://attack.mitre.org/groups/G0091) has leveraged the Windows API, including using CreateProcess() or ShellExecute(), to perform a variety of tasks.(Citation: SecureList Silence Nov 2017)(Citation: Group IB Silence Sept 2018)| 
| APT38 | [APT38](https://attack.mitre.org/groups/G0082) has used the Windows API to execute code within a victim's system.(Citation: CISA AA20-239A BeagleBoyz August 2020) | 
| Tropic Trooper | [Tropic Trooper](https://attack.mitre.org/groups/G0081) has used multiple Windows APIs including HttpInitialize, HttpCreateHttpHandle, and HttpAddUrl.(Citation: TrendMicro Tropic Trooper May 2020)| 
| Gorgon Group | [Gorgon Group](https://attack.mitre.org/groups/G0078) malware can leverage the Windows API call, CreateProcessA(), for execution.(Citation: Unit 42 Gorgon Group Aug 2018)| 
| APT37 | [APT37](https://attack.mitre.org/groups/G0067) leverages the Windows API calls: VirtualAlloc(), WriteProcessMemory(), and CreateRemoteThread() for process injection.(Citation: Talos Group123)| 
| Gamaredon Group | [Gamaredon Group](https://attack.mitre.org/groups/G0047) malware has used <code>CreateProcess</code> to launch additional malicious components.(Citation: ESET Gamaredon June 2020)| 
| menuPass | [menuPass](https://attack.mitre.org/groups/G0045) has used native APIs including <code>GetModuleFileName</code>, <code>lstrcat</code>, <code>CreateFile</code>, and <code>ReadFile</code>.(Citation: Symantec Cicada November 2020)| 
| Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) has used the Windows API <code>ObtainUserAgentString</code> to obtain the User-Agent from a compromised host to connect to a C2 server.(Citation: McAfee Lazarus Jul 2020) [Lazarus Group](https://attack.mitre.org/groups/G0032) has also used various, often lesser known, functions to perform various types of Discovery and [Process Injection](https://attack.mitre.org/techniques/T1055).(Citation: Lazarus APT January 2022)(Citation: Qualys LolZarus)| 
| Turla | [Turla](https://attack.mitre.org/groups/G0010) and its RPC backdoors have used APIs calls for various tasks related to subverting AMSI and accessing then executing commands through RPC and/or named pipes.(Citation: ESET Turla PowerShell May 2019)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1106)

  * [Macos Cocoa](https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/OSX_Technology_Overview/CocoaApplicationLayer/CocoaApplicationLayer.html#//apple_ref/doc/uid/TP40001067-CH274-SW1), Apple. (2015, September 16). Cocoa Application Layer. Retrieved June 25, 2020.

  * [Apple Core Services](https://developer.apple.com/documentation/coreservices), Apple. (n.d.). Core Services. Retrieved June 25, 2020.

  * [Macos Foundation](https://developer.apple.com/documentation/foundation), Apple. (n.d.). Foundation. Retrieved July 1, 2020.

  * [Outflank System Calls](https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/), de Plaa, C. (2019, June 19). Red Team Tactics: Combining Direct System Calls and sRDI to bypass AV/EDR. Retrieved September 29, 2021.

  * [Gnu Fork](https://www.gnu.org/software/libc/manual/html_node/Creating-a-Process.html), Free Software Foundation, Inc.. (2020, June 18). Creating a Process. Retrieved June 25, 2020.

  * [Cyberbit System Calls](https://www.cyberbit.com/blog/endpoint-security/malware-mitigation-when-direct-system-calls-are-used/), Gavriel, H. (2018, November 27). Malware Mitigation when Direct System Calls are Used. Retrieved September 29, 2021.

  * [Glibc](https://www.gnu.org/software/libc/), glibc developer community. (2020, February 1). The GNU C Library (glibc). Retrieved June 25, 2020.

  * [Libc](https://man7.org/linux/man-pages//man7/libc.7.html), Kerrisk, M. (2016, December 12). libc(7) — Linux manual page. Retrieved June 25, 2020.

  * [Linux Kernel Api](https://www.kernel.org/doc/html/v4.12/core-api/kernel-api.html), Linux Kernel Organization, Inc. (n.d.). The Linux Kernel API. Retrieved June 25, 2020.

  * [Mdsec System Calls](https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/), MDSec Research. (2020, December). Bypassing User-Mode Hooks and Direct Invocation of System Calls for Red Teams. Retrieved September 29, 2021.

  * [Microsoft Createprocess](http://msdn.microsoft.com/en-us/library/ms682425), Microsoft. (n.d.). CreateProcess function. Retrieved December 5, 2014.

  * [Microsoft Win32](https://docs.microsoft.com/en-us/windows/win32/api/), Microsoft. (n.d.). Programming reference for the Win32 API. Retrieved March 15, 2020.

  * [Microsoft Net](https://dotnet.microsoft.com/learn/dotnet/what-is-dotnet-framework), Microsoft. (n.d.). What is .NET Framework?. Retrieved March 15, 2020.

  * [Nt Api Windows](https://undocumented.ntinternals.net/), The NTinterlnals.net team. (n.d.). Nowak, T. Retrieved June 25, 2020.

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 22 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Turla will use APIs calls for various tasks related to subverting AMSI and accessing them executing commands through RPC and/or named pipes.

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| Example APT/Threat actor | 1, 2 | 2, 3, 5|

## Detection Blindspots

- Sensor Location.

## Analytical References

  * https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- This TTP is best detected by Host operators
- Monitoring API calls may generate a significant amount of data and may not be useful for defense unless collected under specific circumstances, since benign use of API functions are common and difficult to distinguish from malicious behavior.

#### Analytic 1

  * **Information:** Identify attempts to access the AmsiScanBuffer. This function is what AMSI uses to determine if a product needs to be scanned.

  * **Source:** Sysmon, Winlogbeats

  * **Tool:** Kibana

  * **Notes:** Event id [4663](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4663) will usually be more reliable than [4656](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4656) and [4658](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4658)

  * **Query:** ```event_id:[4663, 4656, 4658] AND object.name:"amsi.dll"```

#### Analytic 2

  * **Information:** Monitor for named pipe creation and connection events for possible indicators of infected processes with external modules.

  * **Source:** Sysmon

  * **Tool:** Kibana

  * **Notes:** FYSA: event.code == Event_ID. Event ID 17 (Sysmon) = Pipe Created & Event ID 18 (Sysmon) = Pipe Connected. Finally, this is noisy. Don't use this unless you have a strict timeline of interest you're already honing in on or you will be inundated with results.

  * **Query:** ```event.code: (17 OR 18)```



-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- This TTP is best detected by Host operators
- Monitoring API calls may generate a significant amount of data and may not be useful for defense unless collected under specific circumstances, since benign use of API functions are common and difficult to distinguish from malicious behavior.

#### Analytic 1

  * **Information:** Remote access tools with built-in features may interact directly with the Windows API to gather information.

  * **Source:** PCAP

  * **Tool:** Moloch

  * **Notes:** N/A

  * **Query:** ```protocols == dcerpc```

#### Analytic 2

  * **Information:** Identify use of RDP over internal to external, or internal to internal.

  * **Source:** PCAP

  * **Tool:** Moloch

  * **Notes:** N/A

  * **Query_1:** ```ip.src != <internal> && protocols == rdp```

  * **Query_2:** ```ip.src == <internal> && ip.dst == <internal> && protocols == rdp```

