Native API, Technique T1106 - Enterprise (original) (raw)
ADVSTORESHELL is capable of starting a process using CreateProcess.[16]
Akira executes native Windows functions such as GetFileAttributesW and GetSystemInfo.[17]
Amadey has used a variety of Windows API calls, including GetComputerNameA, GetUserNameA, and CreateProcessA.[18]
ANELLDR can use the ZwSetInformationThread to enable debugger evasion.[19]
AppleSeed has the ability to use multiple dynamically resolved API calls.[20]
APT37 leverages the Windows API calls: VirtualAlloc(), WriteProcessMemory(), and CreateRemoteThread() for process injection.[21]
APT38 has used the Windows API to execute code within a victim's system.[22]
Aria-body has the ability to launch files using ShellExecute.[23]
AsyncRAT has the ability to use OS APIs including CheckRemoteDebuggerPresent.[24]
Attor's dispatcher has used CreateProcessW API for execution.[25]
Avaddon has used the Windows Crypto API to generate an AES key.[26]
AvosLocker has used a variety of Windows API calls, including NtCurrentPeb and GetLogicalDrives.[27]
Babuk can use multiple Windows API calls for actions on compromised hosts including discovery and execution.[28][29][30]
BackConfig can leverage API functions such as ShellExecuteA and HttpOpenRequestA in the process of downloading and executing files.[31]
Bad Rabbit has used various Windows API calls.[32]
BADHATCH can utilize Native API functions such as, ToolHelp32 and Rt1AdjustPrivilege to enable SeDebugPrivilege on a compromised machine.[33]
BADNEWS has a command to download an .exe and execute it via CreateProcess API. It can also run with ShellExecute.[34][35]
Bandook has used the ShellExecuteW() function call.[36]
Bankshot creates processes using the Windows API calls: CreateProcessA() and CreateProcessAsUserA().[37]
Bazar can use various APIs to allocate memory and facilitate code execution/injection.[38]
BBK has the ability to use the CreatePipe API to add a sub-process for execution via cmd.[39]
BendyBear can load and execute modules and Windows Application Programming (API) calls using standard shellcode API hashing.[40]
Bisonal has used the Windows API to communicate with the Service Control Manager to execute a thread.[41]
BitPaymer has used dynamic API resolution to avoid identifiable strings within the binary, including RegEnumKeyW.[42]
Black Basta has the ability to use native APIs for numerous functions including discovery and defense evasion.[43][44][45][46][47]
BlackByte Ransomware uses the SetThreadExecutionState API to prevent the victim system from entering sleep.[48]
BlackTech has used built-in API functions.[49]
BloodHound can use .NET API calls in the SharpHound ingestor component to pull Active Directory data.[50]
BOOKWORM has used various Windows API calls during execution and defense evasion.[51] [52] BOOKWORM has created a buffer on the heap using HeapCreate and HeapAlloc which allows for copying of shell code and then execution on the heap is initiated through callback function of legitimate API functions such as EnumChildWindows or EnumSystemLanguageGroupsA. [52]
BoxCaon has used Windows API calls to obtain information about the compromised host.[53]
Brute Ratel C4 can call multiple Windows APIs for execution, to share memory, and defense evasion.[54][55]
build_downer has the ability to use the WinExec API to execute malware on a compromised host.[39]
Bumblebee can use multiple Native APIs.[56][57]
CaddyWiper has the ability to dynamically resolve and use APIs, including SeTakeOwnershipPrivilege.[58]
Caminho can use System.Net.WebClient.downloadString() for file download.[59]
CANONSTAGER has leveraged Native API calls to execute code within the victim’s system including GetCurrentDirectoryW, RegisterClassW and CreateWindowExW.[60] CANONSTAGER also created a new overlapped window that initiates callback functions to a windows procedure that processes Windows messages until a designated message type of 0x0018 WM_SHOWWINDOW is observed which then initiates the deployment of a subsequent malicious payload.[60]
Carberp has used the NtQueryDirectoryFile and ZwQueryDirectoryFile functions to hide files and directories.[61]
Chaes used the CreateFileW() API function with read permissions to access downloaded payloads.[62]
Chimera has used direct Windows system calls by leveraging Dumpert.[63]
CHIMNEYSWEEP can use Windows APIs including LoadLibrary and GetProcAddress.[64]
Chrommme can use Windows API including WinExec for execution.[65]
CLAIMLOADER has used various Windows API calls during execution, when establishing persistence and defense evasion.[66][67] CLAIMLOADER has also leveraged the legitimate API functions to run its shellcode through the callback function, including GetDC() and EnumFontsW().[66] CLAIMLOADER established persistence by utilizing the API SHSetValue().[66] CLAIMLOADER has utilized APIs with callback functions such as EnumpropsExW, EnumSystemLanguageGroupsA, and EnumCalendarInfoExW.[67]
Clop has used built-in API functions such as WNetOpenEnumW(), WNetEnumResourceW(), WNetCloseEnum(), GetProcAddress(), and VirtualAlloc().[68][69]
Cobalt Strike's Beacon payload is capable of running shell commands without cmd.exe and PowerShell commands without powershell.exe[70][71][72] Cobalt Strike can also use CreateThreadpoolWait, SetThreadpoolWait, and MessageBoxA for sandbox evasion and execution of embedded payloads in memory.[73]
ComRAT can load a PE file from memory or the file system and execute it with CreateProcessW.[74]
Conti has used API calls during execution.[75][76]
CostaBricks has used a number of API calls, including VirtualAlloc, VirtualFree, LoadLibraryA, GetProcAddress, and ExitProcess.[77]
Cuba has used several built-in API functions for discovery like GetIpNetTable and NetShareEnum.[78]
Cyclops Blink can use various Linux API functions including those for execution and discovery.[79]
DarkGate uses the native Windows API CallWindowProc() to decode and launch encoded shellcode payloads during execution.[80] DarkGate can call kernel mode functions directly to hide the use of process hollowing methods during execution.[81] DarkGate has also used the CreateToolhelp32Snapshot, GetFileAttributesA and CreateProcessA functions to obtain a list of running processes, to check for security products and to execute its malware.[82]
DarkTortilla can use a variety of API calls for persistence and defense evasion.[83]
DCSrv has used various Windows API functions, including DeviceIoControl, as part of its encryption process.[84]
DEADEYE can execute the GetComputerNameA and GetComputerNameExA WinAPI functions.[85]
Denis used the IsDebuggerPresent, OutputDebugString, and SetLastError APIs to avoid debugging. Denis used GetProcAddress and LoadLibrary to dynamically resolve APIs. Denis also used the Wow64SetThreadContext API as part of a process hollowing process.[86]
Diavol has used several API calls like GetLogicalDriveStrings, SleepEx, SystemParametersInfoAPI, CryptEncrypt, and others to execute parts of its attack.[87]
Donut code modules use various API functions to load and inject code.[88]
DOWNIISSA can use the URLDownloadToFileA() API to download from remote resources.[89]
DRATzarus can use various API calls to see if it is running in a sandbox.[90]
Dridex has used the OutputDebugStringW function to avoid malware analysis as part of its anti-debugging technique.[91]
DynoWiper has used multiple native Windows functions, such as GetLogicalDrives and FindNextFile for discovery and file deletion.[92][93]
Egregor has used the Windows API to make detection more difficult.[94]
Embargo has leveraged Windows Native API functions to execute its operations.[95]
Emotet has used CreateProcess to create a new process to run its executable and WNetEnumResourceW to enumerate non-hidden shares.[96]
Empire contains a variety of enumeration modules that have an option to use API calls to carry out tasks.[97]
EvilBunny has used various API calls as part of its checks to see if the malware is running in a sandbox.[98]
Exbyte calls ShellExecuteW with the IpOperation parameter RunAs to launch explorer.exe with elevated privileges.[99]
Explosive has a function to call the OpenClipboard wrapper.[100]
FatDuke can call ShellExecuteW to open the default browser on the URL localhost.[101]
Flagpro can use Native API to enable obfuscation including GetLastError and GetTickCount.[102]
FoggyWeb's loader can use API functions to load the FoggyWeb backdoor into the same Application Domain within which the legitimate AD FS managed code is executed.[103]
Fooder has used the WinCrypt API for payload decryption, DuplicateTokenEx to duplicate the token of a specified process, and CreateProcessAsUserA for payload execution.[104]
FunnyDream can use Native API for defense evasion, discovery, and collection.[105]
Gamaredon Group malware has used CreateProcess to launch additional malicious components.[106][107]
Gelsemium has the ability to use various Windows API functions to perform tasks.[65]
gh0st RAT has used the InterlockedExchange, SeShutdownPrivilege, and ExitWindowsEx Windows API functions.[108]
GoldenSpy can execute remote commands in the Windows command shell using the WinExec() API.[109]
Goopy has the ability to enumerate the infected system's user name via GetUserNameW.[86]
Gorgon Group malware can leverage the Windows API call, CreateProcessA(), for execution.[110]
Grandoreiro can execute through the WinExec API.[111]
GrimAgent can use Native API including GetProcAddress and ShellExecuteW.[112]
GuLoader can use a number of different APIs for discovery and execution.[113]
Hancitor has used CallWindowProc and EnumResourceTypesA to interpret and execute shellcode.[114]
Havoc can use NtAllocateVirtualMemory and NtCreateThreadEx to aid process injection.[115]
HAWKBALL has leveraged several Windows API calls to create processes, gather disk information, and detect debugger activity.[116]
HeartCrypt can use Windows API functions to modify the Registry and FindResourceW, LoadResource, and LockResource to acquire a pointer to corresponding code resources.[117]
HermeticWiper can call multiple Windows API functions used for privilege escalation, service execution, and to overwrite random bites of data.[118][119][120][121]
HermeticWizard can connect to remote shares using WNetAddConnection2W.[120]
Higaisa has called various native OS APIs.[122]
HotCroissant can perform dynamic DLL importing and API lookups using LoadLibrary and GetProcAddress on obfuscated strings.[123]
HTTPTroy has leveraged Windows Native API calls, including GetProcAddress to execute functions in memory.[124]
HyperBro has the ability to run an application (CreateProcessW) or script/file (ShellExecuteW) via API.[125]
HyperStack can use Windows API's ConnectNamedPipe and WNetAddConnection2 to detect incoming connections and connect to remote shares.[126]
IcedID has called ZwWriteVirtualMemory, ZwProtectVirtualMemory, ZwQueueApcThread, and NtResumeThread to inject itself into a remote process.[127]
IMAPLoader imports native Windows APIs such as GetConsoleWindow and ShowWindow.[128]
Imminent Monitor has leveraged CreateProcessW() call to execute the debugger.[129]
INC Ransomware can use the API DeviceIoControl to resize the allocated space for and cause the deletion of volume shadow copy snapshots.[130]
InnaputRAT uses the API call ShellExecuteW for execution.[131]
InvisiMole can use winapiexec tool for indirect execution of ShellExecuteW and CreateProcessA.[132]
Kapeka utilizes WinAPI calls to gather victim system information.[133]
Kevin can use the ShowWindow API to avoid detection.[134]
KillDisk has called the Windows API to retrieve the hard disk handle and shut down the machine.[135]
Kimsuky has utilized Native APIs to collect data from victim hosts and facilitate execution of malicious scripts.[124][136]
KOCTOPUS can use the LoadResource and CreateProcessW APIs for execution.[137]
KONNI has hardcoded API calls within its functions to use on the victim's machine.[138]
Latrodectus has used multiple Windows API post exploitation including GetAdaptersInfo, CreateToolhelp32Snapshot, and CreateProcessW.[139][140]
Lazarus Group has used the Windows API ObtainUserAgentString to obtain the User-Agent from a compromised host to connect to a C2 server.[141] Lazarus Group has also used various, often lesser known, functions to perform various types of Discovery and Process Injection.[142][143]
LightNeuron is capable of starting a process using CreateProcess.[144]
LitePower can use various API calls.[145]
Lizar has used various Windows API functions on a victim's machine.[146]
LockBit 3.0 has the ability to directly call native Windows API items during execution.[147][148]
LODEINFO can use Windows APIs such as VirtualAllocEx(), WriteProcessMemory(), CreateRemoteThread(), NtAllocateVirtualMemory(), NtWriteVirtualMemory(), and RtlCreateUserThread() to enable memory injection of shellcode.[149]
Lokibot has used LoadLibrary(), GetProcAddress() and CreateRemoteThread() API functions to execute its shellcode.[150]
LP-Notes has used the ImpersonateLoggedOnUser API to impersonate the security context of the taskhostw.exe process.[104] Additionally, LP-Notes has also used the CredUIPromptForWindowsCredentialsW API to obtain Windows credentials.[104]
MacMa has used macOS API functions to perform tasks.[151][152]
Mafalda can use a variety of API calls.[153]
Mango has the ability to use Native APIs.[154]
MarkiRAT can run the ShellExecuteW API via the Windows Command Shell.[155]
Maze has used several Windows API functions throughout the encryption process including IsDebuggerPresent, TerminateProcess, Process32FirstW, among others.[156]
Medusa Group has leveraged Windows Native API functions to execute payloads.[157]
Medusa Ransomware has leveraged Windows Native API functions to execute payloads.[157]
After escalating privileges, MegaCortex calls TerminateProcess(), CreateRemoteThread, and other Win32 APIs.[158]
menuPass has used native APIs including GetModuleFileName, lstrcat, CreateFile, and ReadFile.[159]
metaMain can execute an operator-provided Windows command by leveraging functions such as WinExec, WriteFile, and ReadFile.[153][160]
Metamorfo has used native WINAPI calls.[161][162]
Meteor can use WinAPI to remove a victim machine from an Active Directory domain.[163]
Milan can use the API DnsQuery_A for DNS resolution.[134]
Mis-Type has used Windows API calls, including NetUserAdd and NetUserDel.[164]
Misdat has used Windows APIs, including ExitWindowsEx and GetKeyboardType.[164]
Mispadu has used a variety of Windows API calls, including ShellExecute and WriteProcessMemory.[165][166]
Mosquito leverages the CreateProcess() and LoadLibrary() calls to execute files with the .dll and .exe extensions.[167]
MuddyViper has the ability to relaunch itself using the CreateProcessW API.[104]
Mustang Panda has used various Windows API calls during execution and defense evasion.[168][51][169][66][67][170][171][60][52][172][173][174]
Nebulae has the ability to use CreateProcess to execute a process.[175]
Netwalker can use Windows API functions to inject the ransomware DLL.[176]
NETWIRE can use Native API including CreateProcess GetProcessById, and WriteProcessMemory.[177]
NightClub can use multiple native APIs including GetKeyState, GetForegroundWindow, GetWindowThreadProcessId, and GetKeyboardLayout.[178]
The Ninja loader can call Windows APIs for discovery, process injection, and payload decryption.[179][180]
njRAT has used the ShellExecute() function within a script.[181]
NOOPLDR can use native APIs NtProtectVirtualMemory, NtWriteVirtualMemory, and NtCreateThreadEx to aid process injection.[182]
ODAgent can pass commands using native APIs.[183]
OilBooster has used the ShowWindow and CreateProcessW APIs.[183]
During Operation Digital Eye, threat actors used native API such as GetUserInfo.[184]
During Operation Dream Job, Lazarus Group used Windows API ObtainUserAgentString to obtain the victim's User-Agent and used the value to connect to their C2 server.[141]
During Operation Honeybee, the threat actors deployed malware that used API calls, including CreateProcessAsUser.[185]
During Operation Sharpshooter, the first stage downloader resolved various Windows libraries and APIs, including LoadLibraryA(), GetProcAddress(), and CreateProcessA().[186]
During Operation Wocao, threat actors used the CreateProcessA and ShellExecute API functions to launch commands after being injected into a selected process.[187]
PAKLOG has used Windows API SetWindowsHookExW with idHook set to WH_KEYBOARD_LL and a custom hook procedure to support its keylogging functions.[173]
PcShare has used a variety of Windows API functions.[105]
Pikabot uses native Windows APIs to determine if the process is being debugged and analyzed, such as CheckRemoteDebuggerPresent, NtQueryInformationProcess, ProcessDebugPort, and ProcessDebugFlags.[188] Other Pikabot variants populate a global list of Windows API addresses from the NTDLL and KERNEL32 libraries, and references these items instead of calling the API items to obfuscate execution.[189]
Pillowmint has used multiple native Windows APIs to execute and conduct process injections.[190]
PipeMon's first stage has been executed by a call to CreateProcess with the decryption password in an argument. PipeMon has used a call to LoadLibrary to load its installer.[191]
PLEAD can use ShellExecute to execute applications.[192]
PlugX can use the Windows API functions GetProcAddress, LoadLibrary, and CreateProcess to execute another process.[168][193][194]
PolyglotDuke can use LoadLibraryW and CreateProcess to load and execute code.[101]
Pony has used several Windows functions for various purposes.[195]
Prestige has used the Wow64DisableWow64FsRedirection() and Wow64RevertWow64FsRedirection() functions to disable and restore file system redirection.[196]
Pteranodon has used various API calls.[197]
PUBLOAD has used various Windows API calls during execution, when establishing persistence and defense evasion.[169][67] PUBLOAD stager leveraged Windows API functions with callback including GrayStringW, EnumDateFormatsA, and LineDDA to bypass anti-virus monitoring. [171] PUBLOAD has also utilized other native windows API functions with callback functions such as EnumChildWindows and EnumSystemLanguageGroupsA. [52]
QakBot can use GetProcAddress to help delete malicious strings from memory.[198]
Qilin can attempt to log on to the local computer via LogonUserW and use GetLogicalDrives() and EnumResourceW() for discovery.[199][200]
QUIETCANARY can call System.Net.HttpWebRequest to identify the default proxy configured on the victim computer.[201]
The file collection tool used by RainyDay can utilize native API including ReadDirectoryChangeW for folder monitoring.[175]
Ramsay can use Windows API functions such as WriteFile, CloseHandle, and GetCurrentHwProfile during its collection and file storage operations. Ramsay can execute its embedded components via CreateProcessA and ShellExecute.[202]
RCSession can use WinSock API for communication including WSASend and WSARecv.[203]
RDFSNIFFER has used several Win32 API functions to interact with the victim machine.[204]
REvil can use Native API for execution and to retrieve active services.[205][206]
Rising Sun used dynamic API resolutions to various Windows APIs by leveraging LoadLibrary() and GetProcAddress().[186]
ROKRAT can use a variety of API calls to execute shellcode.[207]
When executing with non-root permissions, RotaJakiro uses the the shmget API to create shared memory between other known RotaJakiro processes. RotaJakiro also uses the execvp API to help its dead process "resurrect".[208]
Royal can use multiple APIs for discovery, communication, and execution.[209]
RTM can use the FindNextUrlCacheEntryA and FindFirstUrlCacheEntryA functions to search for specific strings within browser history.[210]
RustyWater has used CreateObject to instantiate a WScript.Shell Component Object Model (COM) object.[211] Additionally, RustyWater has used VirtualAllocEx and WriteProcessMemory to inject shellcode into explorer.exe.[211]
Ryuk has used multiple native APIs including ShellExecuteW to run executables,GetWindowsDirectoryW to create folders, and VirtualAlloc, WriteProcessMemory, and CreateRemoteThread for process injection.[212]
S-Type has used Windows APIs, including GetKeyboardType, NetUserAdd, and NetUserDel.[164]
Sagerunex calls the WaitForSingleObject API function as part of time-check logic.[213]
Saint Bot has used different API calls, including GetProcAddress, VirtualAllocEx, WriteProcessMemory, CreateProcessA, and SetThreadContext.[214][215]
Samurai has the ability to call Windows APIs.[179]
Sandworm Team uses Prestige to disable and restore file system redirection by using the following functions: Wow64DisableWow64FsRedirection() and Wow64RevertWow64FsRedirection().[196]
Sardonic has the ability to call Win32 API functions to determine if powershell.exe is running.[216]
SharpDisco can leverage Native APIs through plugins including GetLogicalDrives.[178]
ShimRat has used Windows API functions to install the service and shim.[217]
ShimRatReporter used several Windows API functions to gather information from the infected system.[217]
SideCopy has executed malware by calling the API function CreateProcessW.[218]
SideTwist can use GetUserNameW, GetComputerNameW, and GetComputerNameExW to gather information.[219]
Silence has leveraged the Windows API, including using CreateProcess() or ShellExecute(), to perform a variety of tasks.[220][221]
SILENTTRINITY has the ability to leverage API including GetProcAddress and LoadLibrary.[222]
Siloscape makes various native API calls.[223]
SodaMaster can use RegOpenKeyW to access the Registry.[224]
SombRAT has the ability to respawn itself using ShellExecuteW and CreateProcessW.[77]
SplatCloak has utilized Native Windows API calls dynamically through ZwQuerySystemInformation.[173]
SplatDropper has utilized hashed Native Windows API calls.[173]
StarProxy has used native windows API calls such as GetLocalTime() to retrieve system data.[174]
StealBit can use native APIs including LoadLibraryExA for execution and NtSetInformationProcess for defense evasion purposes.[225]
StrifeWater can use a variety of APIs for execution.[226]
Stuxnet uses the SetSecurityDescriptorDacl API to reduce object integrity levels.[227]
SUNSPOT used Windows API functions such as MoveFileEx and NtQueryInformationProcess as part of the SUNBURST injection process.[228]
SVCReady can use Windows API calls to gather information from an infected host.[229]
SynAck parses the export tables of system DLLs to locate and call various Windows API functions.[230][231]
SystemBC has utilized native Windows API functions such as EnumWindowsand GetVolumeInformationA during discovery activities.[232]
SysUpdate can call the GetNetworkParams API as part of its C2 establishment process.[233]
TA505 has deployed payloads that use Windows API calls on a compromised host.[234]
Taidoor has the ability to use native APIs for execution including GetProcessHeap, GetProcAddress, and LoadLibrary.[235][236]
ThiefQuest uses various API to perform behaviors such as executing payloads and performing local enumeration.[237]
TinyTurla has used WinHTTP, CreateProcess, and other APIs for C2 communications and other functions.[238]
ToddyCat has used WinExec to execute commands received from C2 on compromised hosts.[180]
TONESHELL has utilized Native Windows API functions such as WriteProcessMemory and CreateRemoteThreadEx.[170] TONESHELL has also utilized Windows API functions for creating seed values including CoCreateGuid and GetTickCount.[67][174] TONESHELL has leveraged the legitimate API function EnumSystemLocalesA to run its shellcode through the callback function.[52]
Torisma has used various Windows API calls.[239]
TRAILBLAZE has leveraged raw syscalls to execute commands.[240][241]
TrickBot uses the Windows API call, CreateProcessW(), to manage execution flow.[242] TrickBot has also used Nt* API functions to perform Process Injection.[243]
Tropic Trooper has used multiple Windows APIs including HttpInitialize, HttpCreateHttpHandle, and HttpAddUrl.[244]
Turla and its RPC backdoors have used APIs calls for various tasks related to subverting AMSI and accessing then executing commands through RPC and/or named pipes.[245]
Uroburos can use native Windows APIs including GetHostByName.[246]
Ursnif has used CreateProcessW to create child processes.[247]
Volgmer executes payloads using the Windows API call CreateProcessW().[248]
WarzoneRAT can use a variety of API calls on a compromised host.[249]
WastedLocker's custom crypter, CryptOne, leveraged the VirtualAlloc() API function to help execute the payload.[250]
Waterbear can leverage API functions for execution.[251]
WhisperGate has used the ExitWindowsEx to flush file buffers to disk and stop running processes and other API calls.[252][253]
WindTail can invoke Apple APIs contentsOfDirectoryAtPath, pathExtension, and (string) compare.[254]
Winnti for Windows can use Native API to create a new process and to start services.[255]
WIRTE has used the RtlIpv4StringToAddressA to convert IP-formatted string to a byte array.[256]
Woody RAT can use multiple native APIs, including WriteProcessMemory, CreateProcess, and CreateRemoteThread for process injection.[257]
XAgentOSX contains the execFile function to execute a specified file on the system using the NSTask:launch method.[258]
xCaon has leveraged native OS function calls to retrieve victim's network adapter's information using GetAdapterInfo() API.[53]
XLoader uses the native Windows API for functionality, including defense evasion.[259]
ZeroCleare can call the GetSystemDirectoryW API to locate the system directory.[64]
ZxShell can leverage native API including RegisterServiceCtrlHandler to register a service.RegisterServiceCtrlHandler
ZxxZ has used API functions such as Process32First, Process32Next, and ShellExecuteA.[260]