Native API

Information

• Name: Native API

• ID: T1106

• Tactics: TA0002

Introduction

Native API refers to adversaries leveraging direct calls to native operating system APIs to perform malicious activities, bypass security controls, and avoid detection. Within the MITRE ATT&CK framework, this technique is categorized under T1106. Attackers commonly exploit this approach to execute malicious code, manipulate system processes, evade detection mechanisms, and establish persistence by directly interfacing with low-level system functions.

Deep Dive Into Technique

Native APIs are low-level system calls provided by the operating system kernel, primarily used internally by the OS itself or by advanced applications requiring direct kernel interaction. Adversaries utilize Native APIs to:

• Evade traditional monitoring tools that typically monitor higher-level API calls.

• Execute malicious code directly in memory, bypassing standard execution controls.

• Manipulate processes and threads directly, including injection and hooking techniques.

• Access protected resources and system components without triggering security alerts.

Technical mechanisms involved in Native API exploitation include:

• Direct Syscalls: Bypassing standard Windows APIs (Win32 API) and directly invoking NT system calls (e.g., NtCreateProcess, NtAllocateVirtualMemory).

• API Hooking and Injection: Injecting malicious code into legitimate processes via native APIs to maintain stealth and persistence.

• Kernel-Level Manipulation: Using native APIs to interact with kernel objects and structures, enabling attackers to hide processes, files, or network connections.

Real-world procedures often involve the direct invocation of Native APIs through assembly code or scripting languages like PowerShell, C, or C++ to evade detection frameworks that monitor higher-level APIs.

When this Technique is Usually Used

Attackers commonly employ Native API techniques in various attack scenarios and stages, including:

• Initial Access and Execution:

  • To bypass application whitelisting and execution restrictions by directly invoking system-level APIs.

  • To execute payloads without triggering traditional antivirus or EDR (Endpoint Detection and Response) tools.

• Defense Evasion:

  • Avoiding detection by bypassing API hooking mechanisms in antivirus or other security software.

  • Manipulating processes and memory directly to hide malicious activities.

• Privilege Escalation and Persistence:

  • Injecting code into privileged system processes to escalate privileges.

  • Establishing persistent backdoors by directly interacting with kernel-level functions.

• Credential Access and Lateral Movement:

  • Extracting credentials by directly accessing memory structures via native APIs.

  • Moving laterally within networks by manipulating system objects and processes silently.

How this Technique is Usually Detected

Detection of Native API usage typically requires advanced monitoring and behavioral analysis. Common detection methods, tools, and indicators include:

• Behavioral Monitoring:

  • Observing unusual or suspicious sequences of native API calls (e.g., NtCreateThreadEx, NtAllocateVirtualMemory, NtWriteVirtualMemory).

  • Identifying abnormal interactions between processes and system-level APIs.

• Endpoint Detection and Response (EDR) Solutions:

  • Tools such as CrowdStrike Falcon, Microsoft Defender for Endpoint, Carbon Black, and SentinelOne can detect suspicious native API patterns.

  • Monitoring direct syscall usage and injection attempts into legitimate processes.

• Memory Forensics and Analysis Tools:

  • Volatility Framework and Rekall can identify suspicious memory allocations or injected threads indicative of Native API exploitation.

  • Analyzing memory dumps for unusual code execution patterns or injected DLLs.

• Indicators of Compromise (IoCs):

  • Abnormal process behavior or unexpected child processes.

  • Suspicious memory allocation patterns (e.g., RWX memory regions).

  • Unusual handles or system object manipulations observed in system logs or EDR telemetry.

Why it is Important to Detect This Technique

Detecting Native API exploitation is critical due to the significant potential impacts on systems and networks, including:

• Evasion of Traditional Security Controls:

  • Attackers bypass standard monitoring tools, antivirus, and intrusion detection systems, increasing the difficulty of detection and response.

• Privilege Escalation and Persistence:

  • Attackers gain elevated privileges by directly manipulating system objects, potentially leading to complete system compromise and persistent access.

• Data Exfiltration and Credential Theft:

  • Direct access to kernel-level APIs enables attackers to extract sensitive information and credentials, potentially leading to further compromise and data breaches.

• System Stability and Integrity Risks:

  • Direct manipulation of kernel objects and processes can destabilize systems, causing crashes, data corruption, or denial-of-service conditions.

Early detection of Native API usage allows security teams to respond swiftly, containing threats before significant harm occurs. It also provides critical visibility into advanced threats attempting to evade traditional detection methods.

Examples

Real-world examples demonstrating Native API exploitation include:

• Cobalt Strike Framework:

  • Attackers commonly leverage Cobalt Strike to inject payloads directly into legitimate processes through native API calls such as NtAllocateVirtualMemory and NtCreateThreadEx.

  • This approach helps attackers evade traditional antivirus detection and maintain persistent footholds within compromised networks.

• FIN7 Group Attacks:

  • The FIN7 cybercrime group has been observed using native API techniques to perform process injection and memory manipulation, bypassing endpoint security tools and facilitating lateral movement within victim environments.

• Turla APT Operations:

  • The Turla group utilized native API calls to inject malicious code into legitimate Windows processes, enabling stealthy persistence and credential harvesting activities within compromised networks.

• Process Hollowing Attacks:

  • Attackers leverage native APIs such as NtUnmapViewOfSection, NtAllocateVirtualMemory, and NtWriteVirtualMemory to hollow legitimate processes and inject malicious code, enabling stealthy execution and evasion of antivirus products.

In these scenarios, attackers specifically chose Native API techniques due to their effectiveness in bypassing traditional security mechanisms and maintaining stealthy operations, resulting in significant impacts such as data breaches, credential theft, and persistent compromise.