Нативный API

TrickBot uses the Windows API call, CreateProcessW(), to manage execution flow.(Citation: S2 Grupo TrickBot June 2017) TrickBot has also used Nt* API functions to perform Process Injection.(Citation: Joe Sec Trickbot)

The Ninja loader can call Windows APIs for discovery, process injection, and payload decryption.(Citation: Kaspersky ToddyCat June 2022)(Citation: Kaspersky ToddyCat Check Logs October 2023)

Pikabot uses native Windows APIs to determine if the process is being debugged and analyzed, such as `CheckRemoteDebuggerPresent`, `NtQueryInformationProcess`, `ProcessDebugPort`, and `ProcessDebugFlags`.(Citation: Zscaler Pikabot 2023) Other Pikabot variants populate a global list of Windows API addresses from the `NTDLL` and `KERNEL32` libraries, and references these items instead of calling the API items to obfuscate execution.(Citation: Elastic Pikabot 2024)

RCSession can use WinSock API for communication including WSASend and WSARecv.(Citation: Profero APT27 December 2020)

SynAck parses the export tables of system DLLs to locate and call various Windows API functions.(Citation: SecureList SynAck Doppelgänging May 2018)(Citation: Kaspersky Lab SynAck May 2018)

Bumblebee can use multiple Native APIs.(Citation: Proofpoint Bumblebee April 2022)(Citation: Medium Ali Salem Bumblebee April 2022)

Amadey has used a variety of Windows API calls, including `GetComputerNameA`, `GetUserNameA`, and `CreateProcessA`.(Citation: BlackBerry Amadey 2020)

RDFSNIFFER has used several Win32 API functions to interact with the victim machine.(Citation: FireEye FIN7 Oct 2019)

BloodHound can use .NET API calls in the SharpHound ingestor component to pull Active Directory data.(Citation: GitHub Bloodhound)

Torisma has used various Windows API calls.(Citation: McAfee Lazarus Nov 2020)

Stuxnet uses the SetSecurityDescriptorDacl API to reduce object integrity levels.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)

When executing with non-root permissions, RotaJakiro uses the the `shmget` API to create shared memory between other known RotaJakiro processes. RotaJakiro also uses the `execvp` API to help its dead process "resurrect".(Citation: RotaJakiro 2021 netlab360 analysis)

AvosLocker has used a variety of Windows API calls, including `NtCurrentPeb` and `GetLogicalDrives`.(Citation: Malwarebytes AvosLocker Jul 2021)

Sardonic has the ability to call Win32 API functions to determine if `powershell.exe` is running.(Citation: Bitdefender Sardonic Aug 2021)

WindTail can invoke Apple APIs contentsOfDirectoryAtPath, pathExtension, and (string) compare.(Citation: objective-see windtail2 jan 2019)

Misdat has used Windows APIs, including `ExitWindowsEx` and `GetKeyboardType`.(Citation: Cylance Dust Storm)

ShimRatReporter used several Windows API functions to gather information from the infected system.(Citation: FOX-IT May 2016 Mofang)

SILENTTRINITY has the ability to leverage API including `GetProcAddress` and `LoadLibrary`.(Citation: GitHub SILENTTRINITY Modules July 2019)

HAWKBALL has leveraged several Windows API calls to create processes, gather disk information, and detect debugger activity.(Citation: FireEye HAWKBALL Jun 2019)

Ursnif has used CreateProcessW to create child processes.(Citation: FireEye Ursnif Nov 2017)

Prestige has used the `Wow64DisableWow64FsRedirection()` and `Wow64RevertWow64FsRedirection()` functions to disable and restore file system redirection.(Citation: Microsoft Prestige ransomware October 2022)

Bankshot creates processes using the Windows API calls: CreateProcessA() and CreateProcessAsUserA().(Citation: McAfee Bankshot)

SharpDisco can leverage Native APIs through plugins including `GetLogicalDrives`.(Citation: MoustachedBouncer ESET August 2023)

xCaon has leveraged native OS function calls to retrieve victim's network adapter's information using GetAdapterInfo() API.(Citation: Checkpoint IndigoZebra July 2021)

Pony has used several Windows functions for various purposes.(Citation: Malwarebytes Pony April 2016)

Nebulae has the ability to use CreateProcess to execute a process.(Citation: Bitdefender Naikon April 2021)

The file collection tool used by RainyDay can utilize native API including ReadDirectoryChangeW for folder monitoring.(Citation: Bitdefender Naikon April 2021)

AppleSeed has the ability to use multiple dynamically resolved API calls.(Citation: Malwarebytes Kimsuky June 2021)

NETWIRE can use Native API including CreateProcess GetProcessById, and WriteProcessMemory.(Citation: FireEye NETWIRE March 2019)

TinyTurla has used `WinHTTP`, `CreateProcess`, and other APIs for C2 communications and other functions.(Citation: Talos TinyTurla September 2021)

HyperStack can use Windows API's ConnectNamedPipe and WNetAddConnection2 to detect incoming connections and connect to remote shares.(Citation: Accenture HyperStack October 2020)

Bad Rabbit has used various Windows API calls.(Citation: ESET Bad Rabbit)

IMAPLoader imports native Windows APIs such as `GetConsoleWindow` and `ShowWindow`.(Citation: PWC Yellow Liderc 2023)

Aria-body has the ability to launch files using ShellExecute.(Citation: CheckPoint Naikon May 2020)

Emotet has used `CreateProcess` to create a new process to run its executable and `WNetEnumResourceW` to enumerate non-hidden shares.(Citation: Binary Defense Emotes Wi-Fi Spreader)

Empire contains a variety of enumeration modules that have an option to use API calls to carry out tasks.(Citation: Github PowerShell Empire)

BADHATCH can utilize Native API functions such as, `ToolHelp32` and `Rt1AdjustPrivilege` to enable `SeDebugPrivilege` on a compromised machine.(Citation: Gigamon BADHATCH Jul 2019)

PcShare has used a variety of Windows API functions.(Citation: Bitdefender FunnyDream Campaign November 2020)

Woody RAT can use multiple native APIs, including `WriteProcessMemory`, `CreateProcess`, and `CreateRemoteThread` for process injection.(Citation: MalwareBytes WoodyRAT Aug 2022)

Mafalda can use a variety of API calls.(Citation: SentinelLabs Metador Sept 2022)

PolyglotDuke can use LoadLibraryW and CreateProcess to load and execute code.(Citation: ESET Dukes October 2019)

SombRAT has the ability to respawn itself using ShellExecuteW and CreateProcessW.(Citation: BlackBerry CostaRicto November 2020)

ODAgent can pass commands using native APIs.(Citation: ESET OilRig Downloaders DEC 2023)

GuLoader can use a number of different APIs for discovery and execution.(Citation: Medium Eli Salem GuLoader April 2021)

WastedLocker's custom crypter, CryptOne, leveraged the VirtualAlloc() API function to help execute the payload.(Citation: NCC Group WastedLocker June 2020)

InvisiMole can use winapiexec tool for indirect execution of ShellExecuteW and CreateProcessA.(Citation: ESET InvisiMole June 2020)

Volgmer executes payloads using the Windows API call CreateProcessW().(Citation: US-CERT Volgmer 2 Nov 2017)

WhisperGate has used the `ExitWindowsEx` to flush file buffers to disk and stop running processes and other API calls.(Citation: Cisco Ukraine Wipers January 2022)(Citation: RecordedFuture WhisperGate Jan 2022)

Conti has used API calls during execution.(Citation: Cybereason Conti Jan 2021)(Citation: CarbonBlack Conti July 2020)

Mispadu has used a variety of Windows API calls, including ShellExecute and WriteProcessMemory.(Citation: Segurança Informática URSA Sophisticated Loader 2020)(Citation: SCILabs Malteiro 2021)

Diavol has used several API calls like `GetLogicalDriveStrings`, `SleepEx`, `SystemParametersInfoAPI`, `CryptEncrypt`, and others to execute parts of its attack.(Citation: Fortinet Diavol July 2021)

Siloscape makes various native API calls.(Citation: Unit 42 Siloscape Jun 2021)

IcedID has called ZwWriteVirtualMemory, ZwProtectVirtualMemory, ZwQueueApcThread, and NtResumeThread to inject itself into a remote process.(Citation: Juniper IcedID June 2020)

MarkiRAT can run the ShellExecuteW API via the Windows Command Shell.(Citation: Kaspersky Ferocious Kitten Jun 2021)

CHIMNEYSWEEP can use Windows APIs including `LoadLibrary` and `GetProcAddress`.(Citation: Mandiant ROADSWEEP August 2022)

FatDuke can call ShellExecuteW to open the default browser on the URL localhost.(Citation: ESET Dukes October 2019)

DCSrv has used various Windows API functions, including `DeviceIoControl`, as part of its encryption process.(Citation: Checkpoint MosesStaff Nov 2021)

DRATzarus can use various API calls to see if it is running in a sandbox.(Citation: ClearSky Lazarus Aug 2020)

Rising Sun used dynamic API resolutions to various Windows APIs by leveraging `LoadLibrary()` and `GetProcAddress()`.(Citation: McAfee Sharpshooter December 2018)

ShimRat has used Windows API functions to install the service and shim.(Citation: FOX-IT May 2016 Mofang)

Chrommme can use Windows API including `WinExec` for execution.(Citation: ESET Gelsemium June 2021)

Avaddon has used the Windows Crypto API to generate an AES key.(Citation: Hornet Security Avaddon June 2020)

Flagpro can use Native API to enable obfuscation including `GetLastError` and `GetTickCount`.(Citation: NTT Security Flagpro new December 2021)

XAgentOSX contains the execFile function to execute a specified file on the system using the NSTask:launch method.(Citation: XAgentOSX 2017)

CostaBricks has used a number of API calls, including `VirtualAlloc`, `VirtualFree`, `LoadLibraryA`, `GetProcAddress`, and `ExitProcess`.(Citation: BlackBerry CostaRicto November 2020)

HyperBro has the ability to run an application (CreateProcessW) or script/file (ShellExecuteW) via API.(Citation: Unit42 Emissary Panda May 2019)

Pteranodon has used various API calls.(Citation: Microsoft Actinium February 2022)

DarkTortilla can use a variety of API calls for persistence and defense evasion.(Citation: Secureworks DarkTortilla Aug 2022)

ROKRAT can use a variety of API calls to execute shellcode.(Citation: Malwarebytes RokRAT VBA January 2021)

Babuk can use multiple Windows API calls for actions on compromised hosts including discovery and execution.(Citation: Sogeti CERT ESEC Babuk March 2021)(Citation: McAfee Babuk February 2021)(Citation: Medium Babuk February 2021)

Exbyte calls `ShellExecuteW` with the `IpOperation` parameter `RunAs` to launch `explorer.exe` with elevated privileges.(Citation: Microsoft BlackByte 2023)

PlugX can use the Windows API functions `GetProcAddress`, `LoadLibrary`, and `CreateProcess` to execute another process.(Citation: Lastline PlugX Analysis)(Citation: Proofpoint TA416 Europe March 2022)

Bisonal has used the Windows API to communicate with the Service Control Manager to execute a thread.(Citation: Talos Bisonal Mar 2020)

S-Type has used Windows APIs, including `GetKeyboardType`, `NetUserAdd`, and `NetUserDel`.(Citation: Cylance Dust Storm)

Explosive has a function to call the OpenClipboard wrapper.(Citation: CheckPoint Volatile Cedar March 2015)

AsyncRAT has the ability to use OS APIs including `CheckRemoteDebuggerPresent`.(Citation: Telefonica Snip3 December 2021)

LightNeuron is capable of starting a process using CreateProcess.(Citation: ESET LightNeuron May 2019)

Cuba has used several built-in API functions for discovery like GetIpNetTable and NetShareEnum.(Citation: McAfee Cuba April 2021)

Akira executes native Windows functions such as GetFileAttributesW and `GetSystemInfo`.(Citation: Kersten Akira 2023)

DarkGate uses the native Windows API CallWindowProc() to decode and launch encoded shellcode payloads during execution.(Citation: Trellix Darkgate 2023) DarkGate can call kernel mode functions directly to hide the use of process hollowing methods during execution.(Citation: Ensilo Darkgate 2018) DarkGate has also used the `CreateToolhelp32Snapshot`, `GetFileAttributesA` and `CreateProcessA` functions to obtain a list of running processes, to check for security products and to execute its malware.(Citation: Rapid7 BlackBasta 2024)

LockBit 3.0 has the ability to directly call native Windows API items during execution.(Citation: Sentinel Labs LockBit 3.0 JUL 2022)(Citation: INCIBE-CERT LockBit MAR 2024)

SVCReady can use Windows API calls to gather information from an infected host.(Citation: HP SVCReady Jun 2022)

ThiefQuest uses various API to perform behaviors such as executing payloads and performing local enumeration.(Citation: wardle evilquest partii)

FoggyWeb's loader can use API functions to load the FoggyWeb backdoor into the same Application Domain within which the legitimate AD FS managed code is executed.(Citation: MSTIC FoggyWeb September 2021)

Netwalker can use Windows API functions to inject the ransomware DLL.(Citation: TrendMicro Netwalker May 2020)

Brute Ratel C4 can call multiple Windows APIs for execution, to share memory, and defense evasion.(Citation: Palo Alto Brute Ratel July 2022)(Citation: MDSec Brute Ratel August 2022)

Latrodectus has used multiple Windows API post exploitation including `GetAdaptersInfo`, `CreateToolhelp32Snapshot`, and `CreateProcessW`.(Citation: Elastic Latrodectus May 2024)(Citation: Bitsight Latrodectus June 2024)

Saint Bot has used different API calls, including `GetProcAddress`, `VirtualAllocEx`, `WriteProcessMemory`, `CreateProcessA`, and `SetThreadContext`.(Citation: Malwarebytes Saint Bot April 2021)(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )

Chaes used the CreateFileW() API function with read permissions to access downloaded payloads.(Citation: Cybereason Chaes Nov 2020)

Sagerunex calls the `WaitForSingleObject` API function as part of time-check logic.(Citation: Cisco LotusBlossom 2025)

Royal can use multiple APIs for discovery, communication, and execution.(Citation: Cybereason Royal December 2022)

BendyBear can load and execute modules and Windows Application Programming (API) calls using standard shellcode API hashing.(Citation: Unit42 BendyBear Feb 2021)

Uroburos can use native Windows APIs including `GetHostByName`.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)

Metamorfo has used native WINAPI calls.(Citation: Medium Metamorfo Apr 2020)(Citation: Fortinet Metamorfo Feb 2020)

Bandook has used the ShellExecuteW() function call.(Citation: CheckPoint Bandook Nov 2020)

PipeMon's first stage has been executed by a call to CreateProcess with the decryption password in an argument. PipeMon has used a call to LoadLibrary to load its installer.(Citation: ESET PipeMon May 2020)

KONNI has hardcoded API calls within its functions to use on the victim's machine.(Citation: Malwarebytes Konni Aug 2021)

gh0st RAT has used the `InterlockedExchange`, `SeShutdownPrivilege`, and `ExitWindowsEx` Windows API functions.(Citation: Gh0stRAT ATT March 2019)

Black Basta has the ability to use native APIs for numerous functions including discovery and defense evasion.(Citation: Minerva Labs Black Basta May 2022)(Citation: Cyble Black Basta May 2022)(Citation: Avertium Black Basta June 2022)(Citation: Check Point Black Basta October 2022)(Citation: Trend Micro Black Basta May 2022)

ZeroCleare can call the `GetSystemDirectoryW` API to locate the system directory.(Citation: Mandiant ROADSWEEP August 2022)

Attor's dispatcher has used CreateProcessW API for execution.(Citation: ESET Attor Oct 2019)

Imminent Monitor has leveraged CreateProcessW() call to execute the debugger.(Citation: QiAnXin APT-C-36 Feb2019)

LitePower can use various API calls.(Citation: Kaspersky WIRTE November 2021)

After escalating privileges, MegaCortex calls TerminateProcess(), CreateRemoteThread, and other Win32 APIs.(Citation: IBM MegaCortex)

BoxCaon has used Windows API calls to obtain information about the compromised host.(Citation: Checkpoint IndigoZebra July 2021)

NightClub can use multiple native APIs including `GetKeyState`, `GetForegroundWindow`, `GetWindowThreadProcessId`, and `GetKeyboardLayout`.(Citation: MoustachedBouncer ESET August 2023)

Mosquito leverages the CreateProcess() and LoadLibrary() calls to execute files with the .dll and .exe extensions.(Citation: ESET Turla Mosquito Jan 2018)

RTM can use the FindNextUrlCacheEntryA and FindFirstUrlCacheEntryA functions to search for specific strings within browser history.(Citation: ESET RTM Feb 2017)

QUIETCANARY can call `System.Net.HttpWebRequest` to identify the default proxy configured on the victim computer.(Citation: Mandiant Suspected Turla Campaign February 2023)

BlackByte Ransomware uses the `SetThreadExecutionState` API to prevent the victim system from entering sleep.(Citation: Trustwave BlackByte 2021)

SodaMaster can use RegOpenKeyW to access the Registry.(Citation: Securelist APT10 March 2021)

Grandoreiro can execute through the WinExec API.(Citation: ESET Grandoreiro April 2020)

ZxxZ has used API functions such as `Process32First`, `Process32Next`, and `ShellExecuteA`.(Citation: Cisco Talos Bitter Bangladesh May 2022)

Bazar can use various APIs to allocate memory and facilitate code execution/injection.(Citation: Cybereason Bazar July 2020)

XLoader uses the native Windows API for functionality, including defense evasion.(Citation: Zscaler XLoader 2025)

Ryuk has used multiple native APIs including ShellExecuteW to run executables,GetWindowsDirectoryW to create folders, and VirtualAlloc, WriteProcessMemory, and CreateRemoteThread for process injection.(Citation: CrowdStrike Ryuk January 2019)

HermeticWiper can call multiple Windows API functions used for privilege escalation, service execution, and to overwrite random bites of data.(Citation: SentinelOne Hermetic Wiper February 2022)(Citation: Crowdstrike DriveSlayer February 2022)(Citation: ESET Hermetic Wizard March 2022)(Citation: Qualys Hermetic Wiper March 2022)

Kapeka utilizes WinAPI calls to gather victim system information.(Citation: WithSecure Kapeka 2024)

Cobalt Strike's "beacon" payload is capable of running shell commands without cmd.exe and PowerShell commands without powershell.exe(Citation: cobaltstrike manual)

Cobalt Strike's Beacon payload is capable of running shell commands without cmd.exe and PowerShell commands without powershell.exe(Citation: cobaltstrike manual)(Citation: Talos Cobalt Strike September 2020)(Citation: Cobalt Strike Manual 4.3 November 2020)

Donut code modules use various API functions to load and inject code.(Citation: Donut Github)

EvilBunny has used various API calls as part of its checks to see if the malware is running in a sandbox.(Citation: Cyphort EvilBunny Dec 2014)

HotCroissant can perform dynamic DLL importing and API lookups using LoadLibrary and GetProcAddress on obfuscated strings.(Citation: US-CERT HOTCROISSANT February 2020)

REvil can use Native API for execution and to retrieve active services.(Citation: Secureworks REvil September 2019)(Citation: Intel 471 REvil March 2020)

Samurai has the ability to call Windows APIs.(Citation: Kaspersky ToddyCat June 2022)

Milan can use the API `DnsQuery_A` for DNS resolution.(Citation: Kaspersky Lyceum October 2021)

OilBooster has used the `ShowWindow` and `CreateProcessW` APIs.(Citation: ESET OilRig Downloaders DEC 2023)

Taidoor has the ability to use native APIs for execution including GetProcessHeap, GetProcAddress, and LoadLibrary.(Citation: TrendMicro Taidoor)(Citation: CISA MAR-10292089-1.v2 TAIDOOR August 2021)

CaddyWiper has the ability to dynamically resolve and use APIs, including `SeTakeOwnershipPrivilege`.(Citation: Cisco CaddyWiper March 2022)

Cyclops Blink can use various Linux API functions including those for execution and discovery.(Citation: NCSC Cyclops Blink February 2022)

PLEAD can use `ShellExecute` to execute applications.(Citation: TrendMicro BlackTech June 2017)

GoldenSpy can execute remote commands in the Windows command shell using the WinExec() API.(Citation: Trustwave GoldenSpy June 2020)

Ramsay can use Windows API functions such as WriteFile, CloseHandle, and GetCurrentHwProfile during its collection and file storage operations. Ramsay can execute its embedded components via CreateProcessA and ShellExecute.(Citation: Eset Ramsay May 2020)

Carberp has used the NtQueryDirectoryFile and ZwQueryDirectoryFile functions to hide files and directories.(Citation: Trusteer Carberp October 2010)

Pillowmint has used multiple native Windows APIs to execute and conduct process injections.(Citation: Trustwave Pillowmint June 2020)

MacMa has used macOS API functions to perform tasks.(Citation: ESET DazzleSpy Jan 2022)(Citation: Objective-See MacMa Nov 2021)

FunnyDream can use Native API for defense evasion, discovery, and collection.(Citation: Bitdefender FunnyDream Campaign November 2020)

SUNSPOT used Windows API functions such as MoveFileEx and NtQueryInformationProcess as part of the SUNBURST injection process.(Citation: CrowdStrike SUNSPOT Implant January 2021)

SysUpdate can call the `GetNetworkParams` API as part of its C2 establishment process.(Citation: Lunghi Iron Tiger Linux)

BackConfig can leverage API functions such as ShellExecuteA and HttpOpenRequestA in the process of downloading and executing files.(Citation: Unit 42 BackConfig May 2020)

DEADEYE can execute the `GetComputerNameA` and `GetComputerNameExA` WinAPI functions.(Citation: Mandiant APT41)

Mango has the ability to use Native APIs.(Citation: ESET OilRig Campaigns Sep 2023)

InnaputRAT uses the API call ShellExecuteW for execution.(Citation: ASERT InnaputRAT April 2018)

GrimAgent can use Native API including GetProcAddress and ShellExecuteW.(Citation: Group IB GrimAgent July 2021)

Clop has used built-in API functions such as WNetOpenEnumW(), WNetEnumResourceW(), WNetCloseEnum(), GetProcAddress(), and VirtualAlloc().(Citation: Mcafee Clop Aug 2019)(Citation: Cybereason Clop Dec 2020)

Lokibot has used LoadLibrary(), GetProcAddress() and CreateRemoteThread() API functions to execute its shellcode.(Citation: Talos Lokibot Jan 2021)

Egregor has used the Windows API to make detection more difficult.(Citation: Cyble Egregor Oct 2020)

StealBit can use native APIs including `LoadLibraryExA` for execution and `NtSetInformationProcess` for defense evasion purposes.(Citation: Cybereason StealBit Exfiltration Tool)

ZxShell can leverage native API including RegisterServiceCtrlHandler to register a service.RegisterServiceCtrlHandler

build_downer has the ability to use the WinExec API to execute malware on a compromised host.(Citation: Trend Micro Tick November 2019)

Winnti for Windows can use Native API to create a new process and to start services.(Citation: Novetta Winnti April 2015)

Meteor can use `WinAPI` to remove a victim machine from an Active Directory domain.(Citation: Check Point Meteor Aug 2021)

njRAT has used the ShellExecute() function within a script.(Citation: Trend Micro njRAT 2018)

Maze has used several Windows API functions throughout the encryption process including IsDebuggerPresent, TerminateProcess, Process32FirstW, among others.(Citation: McAfee Maze March 2020)

ComRAT can load a PE file from memory or the file system and execute it with CreateProcessW.(Citation: ESET ComRAT May 2020)

metaMain can execute an operator-provided Windows command by leveraging functions such as `WinExec`, `WriteFile`, and `ReadFile`.(Citation: SentinelLabs Metador Sept 2022)(Citation: SentinelLabs Metador Technical Appendix Sept 2022)

SideTwist can use GetUserNameW, GetComputerNameW, and GetComputerNameExW to gather information.(Citation: Check Point APT34 April 2021)

KOCTOPUS can use the `LoadResource` and `CreateProcessW` APIs for execution.(Citation: MalwareBytes LazyScripter Feb 2021)

Mis-Type has used Windows API calls, including `NetUserAdd` and `NetUserDel`.(Citation: Cylance Dust Storm)

KillDisk has called the Windows API to retrieve the hard disk handle and shut down the machine.(Citation: Trend Micro KillDisk 1)

Kevin can use the `ShowWindow` API to avoid detection.(Citation: Kaspersky Lyceum October 2021)

BADNEWS has a command to download an .exe and execute it via CreateProcess API. It can also run with ShellExecute.(Citation: Forcepoint Monsoon)(Citation: TrendMicro Patchwork Dec 2017)

Goopy has the ability to enumerate the infected system's user name via GetUserNameW.(Citation: Cybereason Cobalt Kitty 2017)

QakBot can use GetProcAddress to help delete malicious strings from memory.(Citation: ATT QakBot April 2021)

Hancitor has used CallWindowProc and EnumResourceTypesA to interpret and execute shellcode.(Citation: FireEye Hancitor)

Gelsemium has the ability to use various Windows API functions to perform tasks.(Citation: ESET Gelsemium June 2021)

Dridex has used the OutputDebugStringW function to avoid malware analysis as part of its anti-debugging technique.(Citation: Checkpoint Dridex Jan 2021)

BBK has the ability to use the CreatePipe API to add a sub-process for execution via cmd.(Citation: Trend Micro Tick November 2019)

Denis used the IsDebuggerPresent, OutputDebugString, and SetLastError APIs to avoid debugging. Denis used GetProcAddress and LoadLibrary to dynamically resolve APIs. Denis also used the Wow64SetThreadContext API as part of a process hollowing process.(Citation: Cybereason Cobalt Kitty 2017)

INC Ransomware can use the API `DeviceIoControl` to resize the allocated space for and cause the deletion of volume shadow copy snapshots.(Citation: Cybereason INC Ransomware November 2023)

Waterbear can leverage API functions for execution.(Citation: Trend Micro Waterbear December 2019)

Lizar has used various Windows API functions on a victim's machine.(Citation: BiZone Lizar May 2021)

BitPaymer has used dynamic API resolution to avoid identifiable strings within the binary, including RegEnumKeyW.(Citation: Crowdstrike Indrik November 2018)

ADVSTORESHELL is capable of starting a process using CreateProcess.(Citation: Bitdefender APT28 Dec 2015)

StrifeWater can use a variety of APIs for execution.(Citation: Cybereason StrifeWater Feb 2022)

WarzoneRAT can use a variety of API calls on a compromised host.(Citation: Uptycs Warzone UAC Bypass November 2020)

HermeticWizard can connect to remote shares using `WNetAddConnection2W`.(Citation: ESET Hermetic Wizard March 2022)

Turla and its RPC backdoors have used APIs calls for various tasks related to subverting AMSI and accessing then executing commands through RPC and/or named pipes.(Citation: ESET Turla PowerShell May 2019)

Tropic Trooper has used multiple Windows APIs including HttpInitialize, HttpCreateHttpHandle, and HttpAddUrl.(Citation: TrendMicro Tropic Trooper May 2020)

Operation Wocao has used the CreateProcessA and ShellExecute API function to launch commands after being injected into a selected process.(Citation: FoxIT Wocao December 2019)

Lazarus Group has used the Windows API ObtainUserAgentString to obtain the User-Agent from a compromised host to connect to a C2 server.(Citation: McAfee Lazarus Jul 2020) Lazarus Group has also used various, often lesser known, functions to perform various types of Discovery and Process Injection.(Citation: Lazarus APT January 2022)(Citation: Qualys LolZarus)

Gamaredon Group malware has used CreateProcess to launch additional malicious components.(Citation: ESET Gamaredon June 2020)

APT38 has used the Windows API to execute code within a victim's system.(Citation: CISA AA20-239A BeagleBoyz August 2020)

SideCopy has executed malware by calling the API function `CreateProcessW`.(Citation: MalwareBytes SideCopy Dec 2021)

Silence has leveraged the Windows API, including using CreateProcess() or ShellExecute(), to perform a variety of tasks.(Citation: SecureList Silence Nov 2017)(Citation: Group IB Silence Sept 2018)

Higaisa has called various native OS APIs.(Citation: Zscaler Higaisa 2020)

APT37 leverages the Windows API calls: VirtualAlloc(), WriteProcessMemory(), and CreateRemoteThread() for process injection.(Citation: Talos Group123)

Chimera has used direct Windows system calls by leveraging Dumpert.(Citation: Cycraft Chimera April 2020)

Sandworm Team uses Prestige to disable and restore file system redirection by using the following functions: `Wow64DisableWow64FsRedirection()` and `Wow64RevertWow64FsRedirection()`.(Citation: Microsoft Prestige ransomware October 2022)

Sharpshooter's first-stage downloader resolved various Windows libraries and APIs, including LoadLibraryA(), GetProcAddress(), and CreateProcessA().(Citation: McAfee Sharpshooter December 2018)

menuPass has used native APIs including GetModuleFileName, lstrcat, CreateFile, and ReadFile.(Citation: Symantec Cicada November 2020)

ToddyCat has used `WinExec` to execute commands received from C2 on compromised hosts.(Citation: Kaspersky ToddyCat Check Logs October 2023)

BlackTech has used built-in API functions.(Citation: IronNet BlackTech Oct 2021)

Gorgon Group malware can leverage the Windows API call, CreateProcessA(), for execution.(Citation: Unit 42 Gorgon Group Aug 2018)

TA505 has deployed payloads that use Windows API calls on a compromised host.(Citation: Korean FSI TA505 2020)

Prevent the execution of unauthorized or malicious code on systems by implementing application control, script blocking, and other execution prevention mechanisms. This ensures that only trusted and authorized code is executed, reducing the risk of malware and unauthorized actions. This mitigation can be implemented through the following measures: Application Control: - Use Case: Use tools like AppLocker or Windows Defender Application Control (WDAC) to create whitelists of authorized applications and block unauthorized ones. On Linux, use tools like SELinux or AppArmor to define mandatory access control policies for application execution. - Implementation: Allow only digitally signed or pre-approved applications to execute on servers and endpoints. (e.g., `New-AppLockerPolicy -PolicyType Enforced -FilePath "C:\Policies\AppLocker.xml"`) Script Blocking: - Use Case: Use script control mechanisms to block unauthorized execution of scripts, such as PowerShell or JavaScript. Web Browsers: Use browser extensions or settings to block JavaScript execution from untrusted sources. - Implementation: Configure PowerShell to enforce Constrained Language Mode for non-administrator users. (e.g., `Set-ExecutionPolicy AllSigned`) Executable Blocking: - Use Case: Prevent execution of binaries from suspicious locations, such as `%TEMP%` or `%APPDATA%` directories. - Implementation: Block execution of `.exe`, `.bat`, or `.ps1` files from user-writable directories. Dynamic Analysis Prevention: - Use Case: Use behavior-based execution prevention tools to identify and block malicious activity in real time. - Implemenation: Employ EDR solutions that analyze runtime behavior and block suspicious code execution.

Behavior Prevention on Endpoint refers to the use of technologies and strategies to detect and block potentially malicious activities by analyzing the behavior of processes, files, API calls, and other endpoint events. Rather than relying solely on known signatures, this approach leverages heuristics, machine learning, and real-time monitoring to identify anomalous patterns indicative of an attack. This mitigation can be implemented through the following measures: Suspicious Process Behavior: - Implementation: Use Endpoint Detection and Response (EDR) tools to monitor and block processes exhibiting unusual behavior, such as privilege escalation attempts. - Use Case: An attacker uses a known vulnerability to spawn a privileged process from a user-level application. The endpoint tool detects the abnormal parent-child process relationship and blocks the action. Unauthorized File Access: - Implementation: Leverage Data Loss Prevention (DLP) or endpoint tools to block processes attempting to access sensitive files without proper authorization. - Use Case: A process tries to read or modify a sensitive file located in a restricted directory, such as /etc/shadow on Linux or the SAM registry hive on Windows. The endpoint tool identifies this anomalous behavior and prevents it. Abnormal API Calls: - Implementation: Implement runtime analysis tools to monitor API calls and block those associated with malicious activities. - Use Case: A process dynamically injects itself into another process to hijack its execution. The endpoint detects the abnormal use of APIs like `OpenProcess` and `WriteProcessMemory` and terminates the offending process. Exploit Prevention: - Implementation: Use behavioral exploit prevention tools to detect and block exploits attempting to gain unauthorized access. - Use Case: A buffer overflow exploit is launched against a vulnerable application. The endpoint detects the anomalous memory write operation and halts the process.