Which SIEM platforms have a T1106 detection rule?

df00tech provides T1106 (Native API) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What severity and confidence is the T1106 detection?

The T1106 detection is rated high severity with medium confidence.

What are common false positives for T1106?

Common false positives for T1106 include: Endpoint security products (AV, EDR, DLP agents) that legitimately use process injection for in-memory scanning or API hooking — exclude by InitiatingProcessFileName matching known security vendor executables; Game anti-cheat engines (BattlEye, EasyAntiCheat, Vanguard) that inject into game processes for integrity monitoring — baseline these on gaming workstations; Software DRM and licensing systems that use code injection to verify license state at runtime.

T1106

Native API

Q: What data sources are required to detect Native API (T1106)?

Detecting Native API requires the following data sources: Process: Process Creation, Process: OS API Execution, Module: Module Load, Microsoft Defender for Endpoint.

Execution Last updated: April 17, 2026

Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes. Adversaries abuse these APIs to execute code while bypassing higher-level defensive sensors, AMSI, and user-mode API hooks. Common attack patterns include: direct syscall invocation (bypassing ntdll.dll hooks entirely), process injection via NT memory APIs (NtAllocateVirtualMemory, NtWriteVirtualMemory, NtCreateThreadEx, RtlCreateUserThread), API unhooking by re-mapping a clean copy of ntdll.dll from disk, and spawning processes via NtCreateProcess or NtCreateProcessEx rather than the standard Win32 CreateProcess. Real-world actors including Cobalt Strike, Medusa Group, and tools like SysWhispers leverage direct syscalls specifically to evade EDR user-mode hooks.

What is T1106 Native API?

Native API (T1106) maps to the Execution tactic — the adversary is trying to run malicious code in MITRE ATT&CK.

This page provides production-ready detection logic for Native API, covering the data sources and telemetry it touches: Process: Process Creation, Process: OS API Execution, Module: Module Load, Microsoft Defender for Endpoint. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Execution
Technique: T1106 Native API
Canonical reference: https://attack.mitre.org/techniques/T1106/

Microsoft Sentinel / Defender

kusto

// T1106 — Native API abuse: cross-process injection and direct NT API usage
// Signal 1: CreateRemoteThread API calls from suspicious initiating processes
let HighRiskParents = dynamic(["winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe",
  "mshta.exe", "wscript.exe", "cscript.exe", "regsvr32.exe", "rundll32.exe",
  "msiexec.exe", "werfault.exe", "explorer.exe"]);
let ProtectedTargets = dynamic(["lsass.exe", "csrss.exe", "winlogon.exe", "smss.exe", "wininit.exe"]);
let TrustedSecurityTools = dynamic(["MsMpEng.exe", "SenseIR.exe", "SenseCnC.exe", "kavtray.exe",
  "bdservicehost.exe", "CylanceSvc.exe", "cb.exe"]);
let InjectionEvents =
    DeviceEvents
    | where Timestamp > ago(24h)
    | where ActionType in~ ("CreateRemoteThreadApiCall", "MemoryRemoteProtect",
                            "NtAllocateVirtualMemoryApiCall", "InjectIntoProcess")
    | extend TargetProcess = tostring(AdditionalFields.TargetProcessName)
    | extend GrantedAccess = tostring(AdditionalFields.GrantedAccess)
    | where
        // Office/script interpreters injecting into anything
        InitiatingProcessFileName has_any (HighRiskParents)
        // Any process injecting into security-critical system processes
        or (TargetProcess has_any (ProtectedTargets)
            and not (InitiatingProcessFileName has_any (TrustedSecurityTools)))
    | extend Signal = "cross_process_injection"
    | project Timestamp, DeviceName, AccountName, Signal, ActionType,
              InitiatingProcessFileName, InitiatingProcessCommandLine,
              InitiatingProcessParentFileName, TargetProcess, GrantedAccess,
              InitiatingProcessId, AdditionalFields;
// Signal 2: ntdll.dll loaded from non-standard path (API unhooking technique)
let UnhookingEvents =
    DeviceImageLoadEvents
    | where Timestamp > ago(24h)
    | where FileName =~ "ntdll.dll"
    | where not (FolderPath has_any ("\\Windows\\System32\\", "\\Windows\\SysWOW64\\",
                                     "\\Windows\\WinSxS\\"))
    | extend Signal = "ntdll_unhooking"
    | project Timestamp, DeviceName, AccountName, Signal,
              ActionType = "ImageLoad", InitiatingProcessFileName,
              InitiatingProcessCommandLine, InitiatingProcessParentFileName,
              TargetProcess = "", GrantedAccess = "",
              InitiatingProcessId, AdditionalFields = todynamic(pack("DllPath", FolderPath));
union InjectionEvents, UnhookingEvents
| sort by Timestamp desc

Detects Native API abuse through two complementary signals. Signal 1 monitors DeviceEvents for cross-process injection ActionTypes (CreateRemoteThreadApiCall, MemoryRemoteProtect, NtAllocateVirtualMemoryApiCall, InjectIntoProcess) where the initiating process is a high-risk Office/script interpreter or the target is a protected system process such as lsass.exe. Signal 2 monitors DeviceImageLoadEvents for ntdll.dll being loaded from non-standard filesystem locations, which is a reliable indicator of API unhooking (adversaries map a clean ntdll copy to bypass EDR hooks). Results are unioned to give analysts a single view of native API abuse activity.

high severity medium confidence

Data Sources

Process: Process Creation Process: OS API Execution Module: Module Load Microsoft Defender for Endpoint

Required Tables

DeviceEvents DeviceImageLoadEvents

False Positives

Endpoint security products (AV, EDR, DLP agents) that legitimately use process injection for in-memory scanning or API hooking — exclude by InitiatingProcessFileName matching known security vendor executables
Game anti-cheat engines (BattlEye, EasyAntiCheat, Vanguard) that inject into game processes for integrity monitoring — baseline these on gaming workstations
Software DRM and licensing systems that use code injection to verify license state at runtime
Legitimate debuggers (WinDbg, x64dbg, Visual Studio debugger) that use NtOpenProcess and write memory for debugging — expected on developer machines
Virtualization and sandboxing tools (VMware Tools, VirtualBox Guest Additions) that load modified ntdll copies or interact with process memory for guest-host communication

Splunk

spl

// T1106 — Native API abuse: Sysmon-based detection for process injection and cross-process memory access
// Signal 1: CreateRemoteThread (Sysmon Event ID 8) — classic injection finale
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=8
| eval SourceImage=lower(SourceImage)
| eval TargetImage=lower(TargetImage)
| eval HighRiskSource=if(match(SourceImage,
    "(winword\.exe|excel\.exe|powerpnt\.exe|outlook\.exe|mshta\.exe|wscript\.exe|cscript\.exe|regsvr32\.exe|rundll32\.exe|msiexec\.exe)"),
    1, 0)
| eval ProtectedTarget=if(match(TargetImage,
    "(lsass\.exe|csrss\.exe|winlogon\.exe|smss\.exe|wininit\.exe)"),
    1, 0)
| eval TrustedSecurity=if(match(SourceImage,
    "(msmpeng\.exe|senseir\.exe|cavtray\.exe|bdservicehost\.exe|cylancesvc\.exe)"),
    1, 0)
| where (HighRiskSource=1 OR ProtectedTarget=1) AND TrustedSecurity=0
| eval Signal="create_remote_thread"
| eval RiskScore=if(HighRiskSource=1 AND ProtectedTarget=1, 100, if(ProtectedTarget=1, 80, 60))
| table _time, host, User, Signal, RiskScore, SourceImage, SourceCommandLine,
         TargetImage, StartAddress, StartModule, StartFunction
| eval _comment="Signal 1: CreateRemoteThread"
| append
    [ search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=10
      | eval SourceImage=lower(SourceImage)
      | eval TargetImage=lower(TargetImage)
      | eval GrantedAccess=lower(GrantedAccess)
      | eval InjectRights=if(match(GrantedAccess, "(0x1f[0-9a-f]{4}|0x[0-9a-f]*38[0-9a-f]*|0x[0-9a-f]*28[0-9a-f]*)"), 1, 0)
      | eval ProtectedTarget=if(match(TargetImage, "(lsass\.exe|csrss\.exe|winlogon\.exe)"), 1, 0)
      | eval HighRiskSource=if(match(SourceImage,
            "(winword\.exe|excel\.exe|powerpnt\.exe|mshta\.exe|wscript\.exe|cscript\.exe|rundll32\.exe)"),
            1, 0)
      | where InjectRights=1 AND (ProtectedTarget=1 OR HighRiskSource=1)
      | eval Signal="process_access_injection_rights"
      | eval RiskScore=if(ProtectedTarget=1, 90, 65)
      | table _time, host, User, Signal, RiskScore, SourceImage, SourceCommandLine,
               TargetImage, GrantedAccess ]
| sort - RiskScore _time

Detects Native API process injection using two Sysmon event types. Signal 1 uses Event ID 8 (CreateRemoteThread) to catch the final step of process injection — a thread created in a remote process — from high-risk initiators (Office apps, script interpreters) or into protected processes (lsass, csrss, winlogon). Signal 2 uses Event ID 10 (ProcessAccess) to detect cross-process handle opens with injection-capable access rights (PROCESS_VM_WRITE 0x0020 + PROCESS_VM_OPERATION 0x0008 = 0x0028, or PROCESS_ALL_ACCESS). A risk score of 100 is assigned when both conditions are true (high-risk source AND protected target). Results are sorted by risk score to prioritize highest-severity events.

high severity medium confidence

Data Sources

Process: OS API Execution Process: Process Access Sysmon Event ID 8 (CreateRemoteThread) Sysmon Event ID 10 (ProcessAccess)

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Security products using CreateRemoteThread for legitimate injection (AV in-memory scanning, DLP agents) — add TrustedSecurity exclusion list per environment
Game anti-cheat engines injecting into game processes on workstations designated for gaming
Debuggers (Visual Studio, WinDbg) performing cross-process inspection with full access rights on developer machines
Monitoring tools (Process Monitor, VMware Tools) accessing process memory for diagnostic or virtualization purposes
Software installers that briefly inject into other processes for configuration patching during installation

Elastic Security (EQL)

eql

/* T1106 — Native API: process injection and ntdll unhooking
   Requires Sysmon 13+ via Elastic Agent or Winlogbeat (windows.sysmon_operational) */
any where event.dataset == "windows.sysmon_operational" and
(
  /* EID 8: CreateRemoteThread — high-risk initiator or injection into protected process */
  (
    event.code == "8" and
    (
      regex(winlog.event_data.SourceImage,
        "(?i)(winword|excel|powerpnt|outlook|mshta|wscript|cscript|regsvr32|rundll32|msiexec).exe$")
      or (
        regex(winlog.event_data.TargetImage,
          "(?i)(lsass|csrss|winlogon|smss|wininit).exe$") and
        not regex(winlog.event_data.SourceImage,
          "(?i)(MsMpEng|SenseIR|SenseCnC|kavtray|bdservicehost|CylanceSvc|cb).exe$")
      )
    )
  )
  /* EID 10: ProcessAccess with injection-grade access rights */
  or (
    event.code == "10" and
    (
      regex(winlog.event_data.TargetImage,
        "(?i)(lsass|csrss|winlogon).exe$")
      or regex(winlog.event_data.SourceImage,
        "(?i)(winword|excel|powerpnt|mshta|wscript|cscript|rundll32|regsvr32).exe$")
    ) and
    winlog.event_data.GrantedAccess like~ ("0x1f*", "0x143a", "0x1438", "0x14*")
  )
  /* EID 7: ntdll.dll loaded from non-standard path — EDR hook bypass via clean-copy mapping */
  or (
    event.code == "7" and
    regex(winlog.event_data.ImageLoaded, "(?i)ntdll.dll$") and
    not (
      winlog.event_data.ImageLoaded like~ "*System32*ntdll.dll" or
      winlog.event_data.ImageLoaded like~ "*SysWOW64*ntdll.dll" or
      winlog.event_data.ImageLoaded like~ "*WinSxS*ntdll.dll"
    )
  )
)

Detects T1106 Native API abuse via three Sysmon signals: (1) CreateRemoteThread (EID 8) from high-risk Office or scripting processes, or targeting protected system processes like lsass/csrss/winlogon; (2) ProcessAccess (EID 10) with PROCESS_ALL_ACCESS or injection-enabling access masks against sensitive targets; (3) ntdll.dll image load (EID 7) from outside System32/SysWOW64/WinSxS, indicating the clean-copy remap technique used by SysWhispers and similar EDR bypass tooling. Requires Sysmon 13+ deployed via Elastic Agent Windows Integration or Winlogbeat.

high severity high confidence

Data Sources

Windows Sysmon 13+ Elastic Agent Windows Integration Winlogbeat

Required Tables

logs-windows.sysmon_operational-*

False Positives

EDR and AV agents (MsMpEng.exe, SenseIR.exe, CylanceSvc.exe) legitimately use cross-process memory APIs for scanning and real-time protection — exclude by principal process path or add to the TrustedSecurity exclusion list
Debuggers such as WinDbg, x64dbg, and OllyDbg use CreateRemoteThread and ProcessAccess with high-privilege masks as part of normal debugging workflows
Game anti-cheat systems (BattlEye, Easy Anti-Cheat) inject shim DLLs into game processes using the same injection primitives detected here

IBM QRadar (AQL)

sql

/* T1106 — Native API: process injection and ntdll unhooking
   Requires Sysmon forwarded via WEC or WinCollect with Microsoft Windows or Sysmon DSM */
SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  username AS UserAccount,
  sourceip AS HostIP,
  QIDNAME(qid) AS SysmonEventName,
  "SourceImage" AS SourceProcess,
  "TargetImage" AS TargetProcess,
  "GrantedAccess" AS GrantedAccess,
  "ImageLoaded" AS ImageLoaded,
  "SourceCommandLine" AS CommandLine
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) ILIKE '%Sysmon%'
  AND (
    /* Signal 1: CreateRemoteThread (Sysmon EventCode 8) */
    (
      QIDNAME(qid) ILIKE '%CreateRemoteThread%'
      AND (
        LOWER("SourceImage") ILIKE ANY (
          '%winword.exe', '%excel.exe', '%powerpnt.exe', '%outlook.exe',
          '%mshta.exe', '%wscript.exe', '%cscript.exe',
          '%regsvr32.exe', '%rundll32.exe', '%msiexec.exe'
        )
        OR (
          LOWER("TargetImage") ILIKE ANY (
            '%lsass.exe', '%csrss.exe', '%winlogon.exe', '%smss.exe', '%wininit.exe'
          )
          AND LOWER("SourceImage") NOT ILIKE ANY (
            '%msmpeng.exe', '%senseir.exe', '%sensecnc.exe',
            '%kavtray.exe', '%bdservicehost.exe', '%cylancesvc.exe', '%cb.exe'
          )
        )
      )
    )
    /* Signal 2: ProcessAccess with injection-grade rights (Sysmon EventCode 10) */
    OR (
      QIDNAME(qid) ILIKE '%ProcessAccess%'
      AND (
        LOWER("TargetImage") ILIKE ANY ('%lsass.exe', '%csrss.exe', '%winlogon.exe')
        OR LOWER("SourceImage") ILIKE ANY (
          '%winword.exe', '%excel.exe', '%mshta.exe',
          '%wscript.exe', '%cscript.exe', '%rundll32.exe', '%regsvr32.exe'
        )
      )
      AND LOWER("GrantedAccess") SIMILAR TO
        '(0x1f[0-9a-f]{4}|0x[0-9a-f]*38[0-9a-f]*|0x143a|0x1438|0x14[0-9a-f]{2})'
    )
    /* Signal 3: ntdll.dll loaded from non-standard path (Sysmon EventCode 7) */
    OR (
      QIDNAME(qid) ILIKE '%ImageLoad%'
      AND LOWER("ImageLoaded") ILIKE '%ntdll.dll'
      AND LOWER("ImageLoaded") NOT ILIKE '%windows%system32%ntdll.dll'
      AND LOWER("ImageLoaded") NOT ILIKE '%windows%syswow64%ntdll.dll'
      AND LOWER("ImageLoaded") NOT ILIKE '%windows%winsxs%'
    )
  )
ORDER BY starttime DESC
LAST 24 HOURS

Detects T1106 Native API abuse in QRadar using AQL against Sysmon events. Queries three signals: CreateRemoteThread from high-risk Office/scripting processes (or into lsass/csrss/winlogon), ProcessAccess with injection-capable access masks (PROCESS_ALL_ACCESS 0x1f0000+, or combined PROCESS_VM_WRITE|CREATE_THREAD patterns), and ntdll.dll loaded from non-standard paths. The GrantedAccess SIMILAR TO pattern covers common injection masks. Note: field names (SourceImage, TargetImage, GrantedAccess, ImageLoaded) depend on the Sysmon DSM custom property extraction configuration in your QRadar deployment — verify these against your DSM's property map and adjust as needed.

high severity medium confidence

Data Sources

Windows Sysmon via WEC/WinCollect QRadar Microsoft Windows DSM QRadar Sysmon DSM (custom)

Required Tables

events

False Positives

Windows crash dump collection (WerFault.exe, werfault.exe via WER service) legitimately opens PROCESS_ALL_ACCESS handles to faulting processes — add LOWER(SourceImage) NOT ILIKE '%werfault.exe' if generating excessive volume
Application performance monitoring agents (AppDynamics, Dynatrace, New Relic) may use cross-process memory APIs for bytecode instrumentation and profiling
Security tooling with deep kernel integration may load custom copies of ntdll.dll or system DLLs from product directories for API shimming — validate ImageLoaded paths against your security product install directories

Sumo Logic CSE

sql

/* T1106 — Native API: process injection and ntdll unhooking
   Adjust _sourceCategory to match your Sysmon collection path */
_sourceCategory=windows/sysmon OR _sourceCategory=*sysmon*
| parse "<EventID>*</EventID>" as EventID
| where EventID in ("7", "8", "10")
| parse "<SourceImage>*</SourceImage>" as SourceImage nodrop
| parse "<TargetImage>*</TargetImage>" as TargetImage nodrop
| parse "<ImageLoaded>*</ImageLoaded>" as ImageLoaded nodrop
| parse "<GrantedAccess>*</GrantedAccess>" as GrantedAccess nodrop
| parse "<User>*</User>" as UserAccount nodrop
| parse "<Computer>*</Computer>" as Computer nodrop
| parse "<SourceCommandLine>*</SourceCommandLine>" as SourceCommandLine nodrop
| eval SourceLower = toLowerCase(SourceImage)
| eval TargetLower = toLowerCase(TargetImage)
| eval ImageLoadedLower = toLowerCase(ImageLoaded)
| eval HighRiskSource = if(
    SourceLower matches "*(winword|excel|powerpnt|outlook|mshta|wscript|cscript|regsvr32|rundll32|msiexec).exe",
    true, false)
| eval ProtectedTarget = if(
    TargetLower matches "*(lsass|csrss|winlogon|smss|wininit).exe",
    true, false)
| eval TrustedSecurity = if(
    SourceLower matches "*(msmpeng|senseir|sensecnc|kavtray|bdservicehost|cylancesvc|cb).exe",
    true, false)
| eval IsNtdllUnhook = if(
    EventID = "7"
    AND ImageLoadedLower matches "*ntdll.dll"
    AND !(ImageLoadedLower matches "*(system32|syswow64|winsxs)*ntdll.dll"),
    true, false)
| where
    (EventID = "8" AND (HighRiskSource OR (ProtectedTarget AND !TrustedSecurity)))
    OR (EventID = "10" AND (ProtectedTarget OR HighRiskSource))
    OR IsNtdllUnhook = true
| eval Signal = if(EventID = "8", "CreateRemoteThread_Injection",
    if(EventID = "10", "ProcessAccess_InjectionRights",
    "NtdllUnhook_EDRBypass"))
| eval RiskScore = if(EventID = "8" AND HighRiskSource AND ProtectedTarget, 100,
    if(IsNtdllUnhook = true, 90,
    if(ProtectedTarget, 80, 60)))
| table _time, Computer, UserAccount, Signal, RiskScore, EventID,
         SourceImage, TargetImage, GrantedAccess, ImageLoaded, SourceCommandLine
| sort by RiskScore, _time desc

Detects T1106 Native API abuse in Sumo Logic by parsing Sysmon XML fields from forwarded Windows events. Classifies three signals: CreateRemoteThread (EID 8) from high-risk parent processes or into protected system processes; ProcessAccess (EID 10) with injection-relevant access rights targeting sensitive processes; and ntdll.dll loaded outside System32/SysWOW64/WinSxS directories (EID 7), indicating the clean-copy remap EDR bypass. Assigns a 0-100 risk score: 100 for Office→LSASS injection, 90 for ntdll unhooking, 80 for protected-target access, 60 for high-risk source injection. Adjust _sourceCategory to match your Sysmon data collection path.

high severity high confidence

Data Sources

Windows Sysmon Sumo Logic Installed Collector (Windows) Sumo Logic OpenTelemetry Collector

Required Tables

windows/sysmon (or equivalent _sourceCategory)

False Positives

Security orchestration and SOAR platforms that open process handles to running agents for health checks or remediation workflows
Windows Defender Credential Guard and virtualization-based security features that legitimately map system DLLs from isolated VSM memory regions outside standard paths
Sysinternals tools (Process Explorer, ProcMon, ProcDump) that open handles to system processes — add exclusions based on Computer/path context for admin workstations

Google Chronicle / SecOps

yaral

rule t1106_native_api_abuse {
  meta:
    author = "Detection Engineering"
    description = "Detects T1106 Native API abuse: process injection via CreateRemoteThread/ProcessAccess and ntdll EDR unhooking via clean-copy remap"
    mitre_attack_technique = "T1106"
    mitre_attack_tactic = "Execution"
    severity = "HIGH"
    confidence = "HIGH"
    rule_version = "1.0"
    platforms = "Windows"

  events:
    (
      /* Signal 1 & 2: Process injection into high-value targets or from high-risk initiators */
      (
        $e.metadata.event_type = "PROCESS_INJECTION"
        and (
          re.regex($e.principal.process.file.full_path,
            `(?i)(winword|excel|powerpnt|outlook|mshta|wscript|cscript|regsvr32|rundll32|msiexec)\.exe$`)
          or (
            re.regex($e.target.process.file.full_path,
              `(?i)(lsass|csrss|winlogon|smss|wininit)\.exe$`)
            and not re.regex($e.principal.process.file.full_path,
              `(?i)(MsMpEng|SenseIR|SenseCnC|kavtray|bdservicehost|CylanceSvc|cb)\.exe$`)
          )
        )
      )
      or
      /* Signal 3: ntdll.dll loaded from non-standard path — EDR hook removal */
      (
        $e.metadata.event_type = "PROCESS_MODULE_LOAD"
        and re.regex($e.target.file.full_path, `(?i)ntdll\.dll$`)
        and not re.regex($e.target.file.full_path,
          `(?i)(Windows.(System32|SysWOW64|WinSxS).+ntdll\.dll)`)
      )
    )

  condition:
    $e
}

Chronicle YARA-L 2.0 rule detecting T1106 Native API abuse in two signal groups: (1) PROCESS_INJECTION events where the initiating process is a high-risk Office or scripting host, or where the target process is a protected system process (lsass, csrss, winlogon, smss, wininit) and the initiator is not a known trusted security tool; (2) PROCESS_MODULE_LOAD events where ntdll.dll is loaded from a path outside System32, SysWOW64, or WinSxS, indicating the clean-copy ntdll remap technique used by SysWhispers and similar direct-syscall frameworks to remove EDR user-mode hooks. Requires Sysmon telemetry ingested and parsed into Chronicle UDM; PROCESS_INJECTION covers both Sysmon EID 8 (CreateRemoteThread) and EID 10 (ProcessAccess) depending on the parser version.

high severity high confidence

Data Sources

Chronicle SIEM Chronicle Forwarder with Sysmon Google Security Operations UDM

Required Tables

UDM — PROCESS_INJECTION and PROCESS_MODULE_LOAD event types

False Positives

Endpoint security software using PROCESS_INJECTION patterns for legitimate memory scanning — add 'and not re.regex($e.principal.process.file.full_path, ...)' exclusions for known EDR vendor install paths
Application virtualization platforms (VMware ThinApp, Microsoft App-V) that inject environment shim DLLs into process space as part of application isolation
Some .NET profiling and APM agents that load a patched copy of system DLLs from a local cache directory as part of bytecode rewriting — validate against known APM product paths

CrowdStrike LogScale (CQL)

cql

/* T1106 — Native API: process injection and ntdll unhooking
   CrowdStrike Falcon NG-SIEM / LogScale — Falcon sensor telemetry */

/* Signal 1 & 2: NT API injection primitives — remote thread creation and NT memory API calls */
(
  #event_simpleName = "CreateRemoteThreadV2"
  OR #event_simpleName = "VirtualAllocExApiCall"
  OR #event_simpleName = "NtAllocateVirtualMemoryApiCall"
  OR #event_simpleName = "WriteProcessMemoryApiCall"
)
| HighRiskSource := SourceProcessImageFileName =
    /(?i)(winword|excel|powerpnt|outlook|mshta|wscript|cscript|regsvr32|rundll32|msiexec)\.exe$/
| ProtectedTarget := TargetProcessImageFileName =
    /(?i)(lsass|csrss|winlogon|smss|wininit)\.exe$/
| TrustedSecurity := SourceProcessImageFileName =
    /(?i)(MsMpEng|SenseIR|SenseCnC|kavtray|bdservicehost|CylanceSvc|cb)\.exe$/
| filter(HighRiskSource = true OR (ProtectedTarget = true AND TrustedSecurity != true))
| Signal := "InjectionAPI_T1106"
| RiskScore := case {
    HighRiskSource = true AND ProtectedTarget = true => 100;
    ProtectedTarget = true => 80;
    HighRiskSource = true => 60;
    * => 40
  }
| table(
    [_time, ComputerName, UserName, Signal, RiskScore, #event_simpleName,
     SourceProcessImageFileName, SourceCommandLine,
     TargetProcessImageFileName, TargetProcessId],
    limit=1000
  )

/* Signal 3: ntdll.dll loaded from non-standard path — EDR unhooking */
| union {
    #event_simpleName = "ClassifiedModuleLoad"
    OR #event_simpleName = "SuspiciousModuleLoad"
    | ImageFileName = /(?i)ntdll\.dll$/
    | NOT ImageFileName = /(?i)(Windows\\System32|Windows\\SysWOW64|Windows\\WinSxS)/
    | Signal := "NtdllUnhook_EDRBypass_T1106"
    | RiskScore := 90
    | table(
        [_time, ComputerName, UserName, Signal, RiskScore, #event_simpleName,
         ContextImageFileName, ImageFileName],
        limit=1000
      )
  }
| sort(field=RiskScore, order=desc)
| sort(field=_time, order=desc)

Detects T1106 Native API abuse in CrowdStrike Falcon NG-SIEM / LogScale. Signal 1 and 2 cover injection API chains: CreateRemoteThreadV2 for classic remote thread injection, and NT memory API calls (VirtualAllocExApiCall, NtAllocateVirtualMemoryApiCall, WriteProcessMemoryApiCall) from high-risk Office or script interpreter processes, or targeting protected system processes. Signal 3 covers ntdll.dll loaded from paths outside System32/SysWOW64/WinSxS via ClassifiedModuleLoad or SuspiciousModuleLoad events, identifying the SysWhispers-style clean-copy remap technique used to neutralize EDR user-mode hooks before direct syscall execution. Note: SourceProcessImageFileName and TargetProcessImageFileName availability varies by event type — NtAllocate/WriteProcessMemory events may use TargetImageFileName; adjust field names to match your sensor version and FDR schema.

high severity high confidence

Data Sources

CrowdStrike Falcon NG-SIEM CrowdStrike LogScale Falcon Data Replicator (FDR)

Required Tables

Falcon event stream: CreateRemoteThreadV2, VirtualAllocExApiCall, NtAllocateVirtualMemoryApiCall, WriteProcessMemoryApiCall, ClassifiedModuleLoad, SuspiciousModuleLoad

False Positives

CrowdStrike Falcon sensor itself performs cross-process memory inspection and may generate matching injection API events — apply SourceProcessImageFileName exclusions for CSFalconService.exe and related Falcon process paths
JIT compilers and managed runtimes (.NET CLR, JVM, V8/Node.js) perform VirtualAllocEx and WriteProcessMemory calls within their own address space for JIT code emission — correlate with TargetProcessId matching SourceProcessId to filter self-injection
Windows Subsystem for Linux (WSL2) and Hyper-V virtualization infrastructure use NT memory management APIs across process boundaries that may match injection API event patterns on host systems running WSL2 workloads

Sigma rule & cross-platform mapping

The detection logic for Native API (T1106) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1106 Sigma rules on detection.fyi

Platform-specific guides for T1106

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-04-17 Research depth: deep

References (13)

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1NtAllocateVirtualMemory Direct Call via PowerShell P/Invoke
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'NtAllocateVirtualMemory'. MDE DeviceEvents: NtAllocateVirtualMemoryApiCall ActionType from the powershell.exe process. PowerShell ScriptBlock Log Event ID 4104: full script content including the DllImport declaration and the API call.
Test 2Process Injection via NtCreateRemoteThread (C# Executable)
Expected signal: Sysmon Event ID 8 (CreateRemoteThread): SourceImage=powershell.exe, TargetImage=notepad.exe, StartAddress pointing to null (suspended thread with null entry point). Sysmon Event ID 10 (ProcessAccess): SourceImage=powershell.exe, TargetImage=notepad.exe, GrantedAccess=0x1F0FFF. MDE DeviceEvents: CreateRemoteThreadApiCall with InitiatingProcessFileName=powershell.exe.
Test 3API Unhooking — Remap ntdll.dll from Disk
Expected signal: Sysmon Event ID 7 (ImageLoad): The ntdll.dll module is already loaded, but if the unhooking completed (in a real attack), a second load from a temp path would appear. PowerShell ScriptBlock Log Event ID 4104: full script showing ntdll.dll path access and byte comparison. MDE DeviceFileEvents: ReadFile operation on C:\Windows\System32\ntdll.dll from powershell.exe.
Test 4Direct Syscall Execution via Inline Assembly (SysWhispers2-style)
Expected signal: If compiled: Sysmon Event ID 1 (Process Create) for syscall_test.exe; Sysmon Event ID 11 (File Create) for the .exe in %TEMP%; MDE DeviceFileEvents for the VirtualAlloc RWX allocation. The byte pattern 4C 8B D1 B8 xx 00 00 00 0F 05 C3 in the allocated memory region is the direct syscall stub signature. If not compiled: PowerShell ScriptBlock Event ID 4104 captures the stub bytes for signature validation.

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1106 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Native API

What is T1106 Native API?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1106

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hub

Related Techniques

Same Tactic: Execution

Popular Detections

What is T1106 Native API?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1106

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hub

Related Techniques

Same Tactic: Execution

Popular Detections

Get new detections in your inbox