T1106

Native API

Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes. Adversaries abuse these APIs to execute code while bypassing higher-level defensive sensors, AMSI, and user-mode API hooks. Common attack patterns include: direct syscall invocation (bypassing ntdll.dll hooks entirely), process injection via NT memory APIs (NtAllocateVirtualMemory, NtWriteVirtualMemory, NtCreateThreadEx, RtlCreateUserThread), API unhooking by re-mapping a clean copy of ntdll.dll from disk, and spawning processes via NtCreateProcess or NtCreateProcessEx rather than the standard Win32 CreateProcess. Real-world actors including Cobalt Strike, Medusa Group, and tools like SysWhispers leverage direct syscalls specifically to evade EDR user-mode hooks.

Microsoft Sentinel / Defender

kusto

// T1106 — Native API abuse: cross-process injection and direct NT API usage
// Signal 1: CreateRemoteThread API calls from suspicious initiating processes
let HighRiskParents = dynamic(["winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe",
  "mshta.exe", "wscript.exe", "cscript.exe", "regsvr32.exe", "rundll32.exe",
  "msiexec.exe", "werfault.exe", "explorer.exe"]);
let ProtectedTargets = dynamic(["lsass.exe", "csrss.exe", "winlogon.exe", "smss.exe", "wininit.exe"]);
let TrustedSecurityTools = dynamic(["MsMpEng.exe", "SenseIR.exe", "SenseCnC.exe", "kavtray.exe",
  "bdservicehost.exe", "CylanceSvc.exe", "cb.exe"]);
let InjectionEvents =
    DeviceEvents
    | where Timestamp > ago(24h)
    | where ActionType in~ ("CreateRemoteThreadApiCall", "MemoryRemoteProtect",
                            "NtAllocateVirtualMemoryApiCall", "InjectIntoProcess")
    | extend TargetProcess = tostring(AdditionalFields.TargetProcessName)
    | extend GrantedAccess = tostring(AdditionalFields.GrantedAccess)
    | where
        // Office/script interpreters injecting into anything
        InitiatingProcessFileName has_any (HighRiskParents)
        // Any process injecting into security-critical system processes
        or (TargetProcess has_any (ProtectedTargets)
            and not (InitiatingProcessFileName has_any (TrustedSecurityTools)))
    | extend Signal = "cross_process_injection"
    | project Timestamp, DeviceName, AccountName, Signal, ActionType,
              InitiatingProcessFileName, InitiatingProcessCommandLine,
              InitiatingProcessParentFileName, TargetProcess, GrantedAccess,
              InitiatingProcessId, AdditionalFields;
// Signal 2: ntdll.dll loaded from non-standard path (API unhooking technique)
let UnhookingEvents =
    DeviceImageLoadEvents
    | where Timestamp > ago(24h)
    | where FileName =~ "ntdll.dll"
    | where not (FolderPath has_any ("\\Windows\\System32\\", "\\Windows\\SysWOW64\\",
                                     "\\Windows\\WinSxS\\"))
    | extend Signal = "ntdll_unhooking"
    | project Timestamp, DeviceName, AccountName, Signal,
              ActionType = "ImageLoad", InitiatingProcessFileName,
              InitiatingProcessCommandLine, InitiatingProcessParentFileName,
              TargetProcess = "", GrantedAccess = "",
              InitiatingProcessId, AdditionalFields = todynamic(pack("DllPath", FolderPath));
union InjectionEvents, UnhookingEvents
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Process: OS API Execution Module: Module Load Microsoft Defender for Endpoint

Required Tables

DeviceEvents DeviceImageLoadEvents

False Positives

Endpoint security products (AV, EDR, DLP agents) that legitimately use process injection for in-memory scanning or API hooking — exclude by InitiatingProcessFileName matching known security vendor executables
Game anti-cheat engines (BattlEye, EasyAntiCheat, Vanguard) that inject into game processes for integrity monitoring — baseline these on gaming workstations
Software DRM and licensing systems that use code injection to verify license state at runtime
Legitimate debuggers (WinDbg, x64dbg, Visual Studio debugger) that use NtOpenProcess and write memory for debugging — expected on developer machines
Virtualization and sandboxing tools (VMware Tools, VirtualBox Guest Additions) that load modified ntdll copies or interact with process memory for guest-host communication

Splunk

spl

// T1106 — Native API abuse: Sysmon-based detection for process injection and cross-process memory access
// Signal 1: CreateRemoteThread (Sysmon Event ID 8) — classic injection finale
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=8
| eval SourceImage=lower(SourceImage)
| eval TargetImage=lower(TargetImage)
| eval HighRiskSource=if(match(SourceImage,
    "(winword\.exe|excel\.exe|powerpnt\.exe|outlook\.exe|mshta\.exe|wscript\.exe|cscript\.exe|regsvr32\.exe|rundll32\.exe|msiexec\.exe)"),
    1, 0)
| eval ProtectedTarget=if(match(TargetImage,
    "(lsass\.exe|csrss\.exe|winlogon\.exe|smss\.exe|wininit\.exe)"),
    1, 0)
| eval TrustedSecurity=if(match(SourceImage,
    "(msmpeng\.exe|senseir\.exe|cavtray\.exe|bdservicehost\.exe|cylancesvc\.exe)"),
    1, 0)
| where (HighRiskSource=1 OR ProtectedTarget=1) AND TrustedSecurity=0
| eval Signal="create_remote_thread"
| eval RiskScore=if(HighRiskSource=1 AND ProtectedTarget=1, 100, if(ProtectedTarget=1, 80, 60))
| table _time, host, User, Signal, RiskScore, SourceImage, SourceCommandLine,
         TargetImage, StartAddress, StartModule, StartFunction
| eval _comment="Signal 1: CreateRemoteThread"
| append
    [ search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=10
      | eval SourceImage=lower(SourceImage)
      | eval TargetImage=lower(TargetImage)
      | eval GrantedAccess=lower(GrantedAccess)
      | eval InjectRights=if(match(GrantedAccess, "(0x1f[0-9a-f]{4}|0x[0-9a-f]*38[0-9a-f]*|0x[0-9a-f]*28[0-9a-f]*)"), 1, 0)
      | eval ProtectedTarget=if(match(TargetImage, "(lsass\.exe|csrss\.exe|winlogon\.exe)"), 1, 0)
      | eval HighRiskSource=if(match(SourceImage,
            "(winword\.exe|excel\.exe|powerpnt\.exe|mshta\.exe|wscript\.exe|cscript\.exe|rundll32\.exe)"),
            1, 0)
      | where InjectRights=1 AND (ProtectedTarget=1 OR HighRiskSource=1)
      | eval Signal="process_access_injection_rights"
      | eval RiskScore=if(ProtectedTarget=1, 90, 65)
      | table _time, host, User, Signal, RiskScore, SourceImage, SourceCommandLine,
               TargetImage, GrantedAccess ]
| sort - RiskScore _time

high severity medium confidence

Data Sources

Process: OS API Execution Process: Process Access Sysmon Event ID 8 (CreateRemoteThread) Sysmon Event ID 10 (ProcessAccess)

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Security products using CreateRemoteThread for legitimate injection (AV in-memory scanning, DLP agents) — add TrustedSecurity exclusion list per environment
Game anti-cheat engines injecting into game processes on workstations designated for gaming
Debuggers (Visual Studio, WinDbg) performing cross-process inspection with full access rights on developer machines
Monitoring tools (Process Monitor, VMware Tools) accessing process memory for diagnostic or virtualization purposes
Software installers that briefly inject into other processes for configuration patching during installation

Elastic Security (EQL)

eql

/* T1106 — Native API: process injection and ntdll unhooking
   Requires Sysmon 13+ via Elastic Agent or Winlogbeat (windows.sysmon_operational) */
any where event.dataset == "windows.sysmon_operational" and
(
  /* EID 8: CreateRemoteThread — high-risk initiator or injection into protected process */
  (
    event.code == "8" and
    (
      regex(winlog.event_data.SourceImage,
        "(?i)(winword|excel|powerpnt|outlook|mshta|wscript|cscript|regsvr32|rundll32|msiexec).exe$")
      or (
        regex(winlog.event_data.TargetImage,
          "(?i)(lsass|csrss|winlogon|smss|wininit).exe$") and
        not regex(winlog.event_data.SourceImage,
          "(?i)(MsMpEng|SenseIR|SenseCnC|kavtray|bdservicehost|CylanceSvc|cb).exe$")
      )
    )
  )
  /* EID 10: ProcessAccess with injection-grade access rights */
  or (
    event.code == "10" and
    (
      regex(winlog.event_data.TargetImage,
        "(?i)(lsass|csrss|winlogon).exe$")
      or regex(winlog.event_data.SourceImage,
        "(?i)(winword|excel|powerpnt|mshta|wscript|cscript|rundll32|regsvr32).exe$")
    ) and
    winlog.event_data.GrantedAccess like~ ("0x1f*", "0x143a", "0x1438", "0x14*")
  )
  /* EID 7: ntdll.dll loaded from non-standard path — EDR hook bypass via clean-copy mapping */
  or (
    event.code == "7" and
    regex(winlog.event_data.ImageLoaded, "(?i)ntdll.dll$") and
    not (
      winlog.event_data.ImageLoaded like~ "*System32*ntdll.dll" or
      winlog.event_data.ImageLoaded like~ "*SysWOW64*ntdll.dll" or
      winlog.event_data.ImageLoaded like~ "*WinSxS*ntdll.dll"
    )
  )
)

high severity high confidence

Data Sources

Windows Sysmon 13+ Elastic Agent Windows Integration Winlogbeat

Required Tables

logs-windows.sysmon_operational-*

False Positives

EDR and AV agents (MsMpEng.exe, SenseIR.exe, CylanceSvc.exe) legitimately use cross-process memory APIs for scanning and real-time protection — exclude by principal process path or add to the TrustedSecurity exclusion list
Debuggers such as WinDbg, x64dbg, and OllyDbg use CreateRemoteThread and ProcessAccess with high-privilege masks as part of normal debugging workflows
Game anti-cheat systems (BattlEye, Easy Anti-Cheat) inject shim DLLs into game processes using the same injection primitives detected here

IBM QRadar (AQL)

sql

/* T1106 — Native API: process injection and ntdll unhooking
   Requires Sysmon forwarded via WEC or WinCollect with Microsoft Windows or Sysmon DSM */
SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  username AS UserAccount,
  sourceip AS HostIP,
  QIDNAME(qid) AS SysmonEventName,
  "SourceImage" AS SourceProcess,
  "TargetImage" AS TargetProcess,
  "GrantedAccess" AS GrantedAccess,
  "ImageLoaded" AS ImageLoaded,
  "SourceCommandLine" AS CommandLine
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) ILIKE '%Sysmon%'
  AND (
    /* Signal 1: CreateRemoteThread (Sysmon EventCode 8) */
    (
      QIDNAME(qid) ILIKE '%CreateRemoteThread%'
      AND (
        LOWER("SourceImage") ILIKE ANY (
          '%winword.exe', '%excel.exe', '%powerpnt.exe', '%outlook.exe',
          '%mshta.exe', '%wscript.exe', '%cscript.exe',
          '%regsvr32.exe', '%rundll32.exe', '%msiexec.exe'
        )
        OR (
          LOWER("TargetImage") ILIKE ANY (
            '%lsass.exe', '%csrss.exe', '%winlogon.exe', '%smss.exe', '%wininit.exe'
          )
          AND LOWER("SourceImage") NOT ILIKE ANY (
            '%msmpeng.exe', '%senseir.exe', '%sensecnc.exe',
            '%kavtray.exe', '%bdservicehost.exe', '%cylancesvc.exe', '%cb.exe'
          )
        )
      )
    )
    /* Signal 2: ProcessAccess with injection-grade rights (Sysmon EventCode 10) */
    OR (
      QIDNAME(qid) ILIKE '%ProcessAccess%'
      AND (
        LOWER("TargetImage") ILIKE ANY ('%lsass.exe', '%csrss.exe', '%winlogon.exe')
        OR LOWER("SourceImage") ILIKE ANY (
          '%winword.exe', '%excel.exe', '%mshta.exe',
          '%wscript.exe', '%cscript.exe', '%rundll32.exe', '%regsvr32.exe'
        )
      )
      AND LOWER("GrantedAccess") SIMILAR TO
        '(0x1f[0-9a-f]{4}|0x[0-9a-f]*38[0-9a-f]*|0x143a|0x1438|0x14[0-9a-f]{2})'
    )
    /* Signal 3: ntdll.dll loaded from non-standard path (Sysmon EventCode 7) */
    OR (
      QIDNAME(qid) ILIKE '%ImageLoad%'
      AND LOWER("ImageLoaded") ILIKE '%ntdll.dll'
      AND LOWER("ImageLoaded") NOT ILIKE '%windows%system32%ntdll.dll'
      AND LOWER("ImageLoaded") NOT ILIKE '%windows%syswow64%ntdll.dll'
      AND LOWER("ImageLoaded") NOT ILIKE '%windows%winsxs%'
    )
  )
ORDER BY starttime DESC
LAST 24 HOURS

high severity medium confidence

Data Sources

Windows Sysmon via WEC/WinCollect QRadar Microsoft Windows DSM QRadar Sysmon DSM (custom)

Required Tables

events

False Positives

Windows crash dump collection (WerFault.exe, werfault.exe via WER service) legitimately opens PROCESS_ALL_ACCESS handles to faulting processes — add LOWER(SourceImage) NOT ILIKE '%werfault.exe' if generating excessive volume
Application performance monitoring agents (AppDynamics, Dynatrace, New Relic) may use cross-process memory APIs for bytecode instrumentation and profiling
Security tooling with deep kernel integration may load custom copies of ntdll.dll or system DLLs from product directories for API shimming — validate ImageLoaded paths against your security product install directories

Sumo Logic CSE

sql

/* T1106 — Native API: process injection and ntdll unhooking
   Adjust _sourceCategory to match your Sysmon collection path */
_sourceCategory=windows/sysmon OR _sourceCategory=*sysmon*
| parse "<EventID>*</EventID>" as EventID
| where EventID in ("7", "8", "10")
| parse "<SourceImage>*</SourceImage>" as SourceImage nodrop
| parse "<TargetImage>*</TargetImage>" as TargetImage nodrop
| parse "<ImageLoaded>*</ImageLoaded>" as ImageLoaded nodrop
| parse "<GrantedAccess>*</GrantedAccess>" as GrantedAccess nodrop
| parse "<User>*</User>" as UserAccount nodrop
| parse "<Computer>*</Computer>" as Computer nodrop
| parse "<SourceCommandLine>*</SourceCommandLine>" as SourceCommandLine nodrop
| eval SourceLower = toLowerCase(SourceImage)
| eval TargetLower = toLowerCase(TargetImage)
| eval ImageLoadedLower = toLowerCase(ImageLoaded)
| eval HighRiskSource = if(
    SourceLower matches "*(winword|excel|powerpnt|outlook|mshta|wscript|cscript|regsvr32|rundll32|msiexec).exe",
    true, false)
| eval ProtectedTarget = if(
    TargetLower matches "*(lsass|csrss|winlogon|smss|wininit).exe",
    true, false)
| eval TrustedSecurity = if(
    SourceLower matches "*(msmpeng|senseir|sensecnc|kavtray|bdservicehost|cylancesvc|cb).exe",
    true, false)
| eval IsNtdllUnhook = if(
    EventID = "7"
    AND ImageLoadedLower matches "*ntdll.dll"
    AND !(ImageLoadedLower matches "*(system32|syswow64|winsxs)*ntdll.dll"),
    true, false)
| where
    (EventID = "8" AND (HighRiskSource OR (ProtectedTarget AND !TrustedSecurity)))
    OR (EventID = "10" AND (ProtectedTarget OR HighRiskSource))
    OR IsNtdllUnhook = true
| eval Signal = if(EventID = "8", "CreateRemoteThread_Injection",
    if(EventID = "10", "ProcessAccess_InjectionRights",
    "NtdllUnhook_EDRBypass"))
| eval RiskScore = if(EventID = "8" AND HighRiskSource AND ProtectedTarget, 100,
    if(IsNtdllUnhook = true, 90,
    if(ProtectedTarget, 80, 60)))
| table _time, Computer, UserAccount, Signal, RiskScore, EventID,
         SourceImage, TargetImage, GrantedAccess, ImageLoaded, SourceCommandLine
| sort by RiskScore, _time desc

high severity high confidence

Data Sources

Windows Sysmon Sumo Logic Installed Collector (Windows) Sumo Logic OpenTelemetry Collector

Required Tables

windows/sysmon (or equivalent _sourceCategory)

False Positives

Security orchestration and SOAR platforms that open process handles to running agents for health checks or remediation workflows
Windows Defender Credential Guard and virtualization-based security features that legitimately map system DLLs from isolated VSM memory regions outside standard paths
Sysinternals tools (Process Explorer, ProcMon, ProcDump) that open handles to system processes — add exclusions based on Computer/path context for admin workstations

Google Chronicle / SecOps

yaral

rule t1106_native_api_abuse {
  meta:
    author = "Detection Engineering"
    description = "Detects T1106 Native API abuse: process injection via CreateRemoteThread/ProcessAccess and ntdll EDR unhooking via clean-copy remap"
    mitre_attack_technique = "T1106"
    mitre_attack_tactic = "Execution"
    severity = "HIGH"
    confidence = "HIGH"
    rule_version = "1.0"
    platforms = "Windows"

  events:
    (
      /* Signal 1 & 2: Process injection into high-value targets or from high-risk initiators */
      (
        $e.metadata.event_type = "PROCESS_INJECTION"
        and (
          re.regex($e.principal.process.file.full_path,
            `(?i)(winword|excel|powerpnt|outlook|mshta|wscript|cscript|regsvr32|rundll32|msiexec)\.exe$`)
          or (
            re.regex($e.target.process.file.full_path,
              `(?i)(lsass|csrss|winlogon|smss|wininit)\.exe$`)
            and not re.regex($e.principal.process.file.full_path,
              `(?i)(MsMpEng|SenseIR|SenseCnC|kavtray|bdservicehost|CylanceSvc|cb)\.exe$`)
          )
        )
      )
      or
      /* Signal 3: ntdll.dll loaded from non-standard path — EDR hook removal */
      (
        $e.metadata.event_type = "PROCESS_MODULE_LOAD"
        and re.regex($e.target.file.full_path, `(?i)ntdll\.dll$`)
        and not re.regex($e.target.file.full_path,
          `(?i)(Windows.(System32|SysWOW64|WinSxS).+ntdll\.dll)`)
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Chronicle SIEM Chronicle Forwarder with Sysmon Google Security Operations UDM

Required Tables

UDM — PROCESS_INJECTION and PROCESS_MODULE_LOAD event types

False Positives

Endpoint security software using PROCESS_INJECTION patterns for legitimate memory scanning — add 'and not re.regex($e.principal.process.file.full_path, ...)' exclusions for known EDR vendor install paths
Application virtualization platforms (VMware ThinApp, Microsoft App-V) that inject environment shim DLLs into process space as part of application isolation
Some .NET profiling and APM agents that load a patched copy of system DLLs from a local cache directory as part of bytecode rewriting — validate against known APM product paths

CrowdStrike LogScale (CQL)

cql

/* T1106 — Native API: process injection and ntdll unhooking
   CrowdStrike Falcon NG-SIEM / LogScale — Falcon sensor telemetry */

/* Signal 1 & 2: NT API injection primitives — remote thread creation and NT memory API calls */
(
  #event_simpleName = "CreateRemoteThreadV2"
  OR #event_simpleName = "VirtualAllocExApiCall"
  OR #event_simpleName = "NtAllocateVirtualMemoryApiCall"
  OR #event_simpleName = "WriteProcessMemoryApiCall"
)
| HighRiskSource := SourceProcessImageFileName =
    /(?i)(winword|excel|powerpnt|outlook|mshta|wscript|cscript|regsvr32|rundll32|msiexec)\.exe$/
| ProtectedTarget := TargetProcessImageFileName =
    /(?i)(lsass|csrss|winlogon|smss|wininit)\.exe$/
| TrustedSecurity := SourceProcessImageFileName =
    /(?i)(MsMpEng|SenseIR|SenseCnC|kavtray|bdservicehost|CylanceSvc|cb)\.exe$/
| filter(HighRiskSource = true OR (ProtectedTarget = true AND TrustedSecurity != true))
| Signal := "InjectionAPI_T1106"
| RiskScore := case {
    HighRiskSource = true AND ProtectedTarget = true => 100;
    ProtectedTarget = true => 80;
    HighRiskSource = true => 60;
    * => 40
  }
| table(
    [_time, ComputerName, UserName, Signal, RiskScore, #event_simpleName,
     SourceProcessImageFileName, SourceCommandLine,
     TargetProcessImageFileName, TargetProcessId],
    limit=1000
  )

/* Signal 3: ntdll.dll loaded from non-standard path — EDR unhooking */
| union {
    #event_simpleName = "ClassifiedModuleLoad"
    OR #event_simpleName = "SuspiciousModuleLoad"
    | ImageFileName = /(?i)ntdll\.dll$/
    | NOT ImageFileName = /(?i)(Windows\\System32|Windows\\SysWOW64|Windows\\WinSxS)/
    | Signal := "NtdllUnhook_EDRBypass_T1106"
    | RiskScore := 90
    | table(
        [_time, ComputerName, UserName, Signal, RiskScore, #event_simpleName,
         ContextImageFileName, ImageFileName],
        limit=1000
      )
  }
| sort(field=RiskScore, order=desc)
| sort(field=_time, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon NG-SIEM CrowdStrike LogScale Falcon Data Replicator (FDR)

Required Tables

Falcon event stream: CreateRemoteThreadV2, VirtualAllocExApiCall, NtAllocateVirtualMemoryApiCall, WriteProcessMemoryApiCall, ClassifiedModuleLoad, SuspiciousModuleLoad

False Positives

CrowdStrike Falcon sensor itself performs cross-process memory inspection and may generate matching injection API events — apply SourceProcessImageFileName exclusions for CSFalconService.exe and related Falcon process paths
JIT compilers and managed runtimes (.NET CLR, JVM, V8/Node.js) perform VirtualAllocEx and WriteProcessMemory calls within their own address space for JIT code emission — correlate with TargetProcessId matching SourceProcessId to filter self-injection
Windows Subsystem for Linux (WSL2) and Hyper-V virtualization infrastructure use NT memory management APIs across process boundaries that may match injection API event patterns on host systems running WSL2 workloads

Last updated: 2026-04-17 Research depth: deep

References (13)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1106 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Native API

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Execution

Popular Detections