Native API (T1106)

View on ATT&CK

In Playbook

Technique & Subtechniques

  • Native API

Associated Tactics

  • Execution

Execution (TA0002)

The adversary is trying to run malicious code. Execution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data. For example, an adversary might use a remote access tool to run a PowerShell script that does Remote System Discovery.

View on ATT&CK

Procedure Examples

Description Source(s)
Apple. (2015, September 16). Cocoa Application Layer. Retrieved June 25, 2020. MACOS Cocoa
Apple. (n.d.). Core Services. Retrieved June 25, 2020. Apple Core Services
Apple. (n.d.). Foundation. Retrieved July 1, 2020. macOS Foundation
de Plaa, C. (2019, June 19). Red Team Tactics: Combining Direct System Calls and sRDI to bypass AV/EDR. Retrieved September 29, 2021. OutFlank System Calls
Feichter, D. (2023, June 30). Direct Syscalls vs Indirect Syscalls. Retrieved September 27, 2023. Redops Syscalls
Free Software Foundation, Inc.. (2020, June 18). Creating a Process. Retrieved June 25, 2020. GNU Fork
Gavriel, H. (2018, November 27). Malware Mitigation when Direct System Calls are Used. Retrieved September 29, 2021. CyberBit System Calls
glibc developer community. (2020, February 1). The GNU C Library (glibc). Retrieved June 25, 2020. GLIBC
Kerrisk, M. (2016, December 12). libc(7) — Linux manual page. Retrieved June 25, 2020. LIBC
Linux Kernel Organization, Inc. (n.d.). The Linux Kernel API. Retrieved June 25, 2020. Linux Kernel API
MDSec Research. (2020, December). Bypassing User-Mode Hooks and Direct Invocation of System Calls for Red Teams. Retrieved September 29, 2021. MDSec System Calls
Microsoft. (n.d.). CreateProcess function. Retrieved September 12, 2024. Microsoft CreateProcess
Microsoft. (n.d.). Programming reference for the Win32 API. Retrieved March 15, 2020. Microsoft Win32
Microsoft. (n.d.). What is .NET Framework?. Retrieved March 15, 2020. Microsoft NET
The NTinterlnals.net team. (n.d.). Nowak, T. Retrieved June 25, 2020. NT API Windows