T1106 IBM QRadar · QRadar

Detect Native API in IBM QRadar

Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes. Adversaries abuse these APIs to execute code while bypassing higher-level defensive sensors, AMSI, and user-mode API hooks. Common attack patterns include: direct syscall invocation (bypassing ntdll.dll hooks entirely), process injection via NT memory APIs (NtAllocateVirtualMemory, NtWriteVirtualMemory, NtCreateThreadEx, RtlCreateUserThread), API unhooking by re-mapping a clean copy of ntdll.dll from disk, and spawning processes via NtCreateProcess or NtCreateProcessEx rather than the standard Win32 CreateProcess. Real-world actors including Cobalt Strike, Medusa Group, and tools like SysWhispers leverage direct syscalls specifically to evade EDR user-mode hooks.

MITRE ATT&CK

Tactic
Execution
Technique
T1106 Native API
Canonical reference
https://attack.mitre.org/techniques/T1106/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
/* T1106 — Native API: process injection and ntdll unhooking
   Requires Sysmon forwarded via WEC or WinCollect with Microsoft Windows or Sysmon DSM */
SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  username AS UserAccount,
  sourceip AS HostIP,
  QIDNAME(qid) AS SysmonEventName,
  "SourceImage" AS SourceProcess,
  "TargetImage" AS TargetProcess,
  "GrantedAccess" AS GrantedAccess,
  "ImageLoaded" AS ImageLoaded,
  "SourceCommandLine" AS CommandLine
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) ILIKE '%Sysmon%'
  AND (
    /* Signal 1: CreateRemoteThread (Sysmon EventCode 8) */
    (
      QIDNAME(qid) ILIKE '%CreateRemoteThread%'
      AND (
        LOWER("SourceImage") ILIKE ANY (
          '%winword.exe', '%excel.exe', '%powerpnt.exe', '%outlook.exe',
          '%mshta.exe', '%wscript.exe', '%cscript.exe',
          '%regsvr32.exe', '%rundll32.exe', '%msiexec.exe'
        )
        OR (
          LOWER("TargetImage") ILIKE ANY (
            '%lsass.exe', '%csrss.exe', '%winlogon.exe', '%smss.exe', '%wininit.exe'
          )
          AND LOWER("SourceImage") NOT ILIKE ANY (
            '%msmpeng.exe', '%senseir.exe', '%sensecnc.exe',
            '%kavtray.exe', '%bdservicehost.exe', '%cylancesvc.exe', '%cb.exe'
          )
        )
      )
    )
    /* Signal 2: ProcessAccess with injection-grade rights (Sysmon EventCode 10) */
    OR (
      QIDNAME(qid) ILIKE '%ProcessAccess%'
      AND (
        LOWER("TargetImage") ILIKE ANY ('%lsass.exe', '%csrss.exe', '%winlogon.exe')
        OR LOWER("SourceImage") ILIKE ANY (
          '%winword.exe', '%excel.exe', '%mshta.exe',
          '%wscript.exe', '%cscript.exe', '%rundll32.exe', '%regsvr32.exe'
        )
      )
      AND LOWER("GrantedAccess") SIMILAR TO
        '(0x1f[0-9a-f]{4}|0x[0-9a-f]*38[0-9a-f]*|0x143a|0x1438|0x14[0-9a-f]{2})'
    )
    /* Signal 3: ntdll.dll loaded from non-standard path (Sysmon EventCode 7) */
    OR (
      QIDNAME(qid) ILIKE '%ImageLoad%'
      AND LOWER("ImageLoaded") ILIKE '%ntdll.dll'
      AND LOWER("ImageLoaded") NOT ILIKE '%windows%system32%ntdll.dll'
      AND LOWER("ImageLoaded") NOT ILIKE '%windows%syswow64%ntdll.dll'
      AND LOWER("ImageLoaded") NOT ILIKE '%windows%winsxs%'
    )
  )
ORDER BY starttime DESC
LAST 24 HOURS
high severity medium confidence

Detects T1106 Native API abuse in QRadar using AQL against Sysmon events. Queries three signals: CreateRemoteThread from high-risk Office/scripting processes (or into lsass/csrss/winlogon), ProcessAccess with injection-capable access masks (PROCESS_ALL_ACCESS 0x1f0000+, or combined PROCESS_VM_WRITE|CREATE_THREAD patterns), and ntdll.dll loaded from non-standard paths. The GrantedAccess SIMILAR TO pattern covers common injection masks. Note: field names (SourceImage, TargetImage, GrantedAccess, ImageLoaded) depend on the Sysmon DSM custom property extraction configuration in your QRadar deployment — verify these against your DSM's property map and adjust as needed.

Data Sources

Windows Sysmon via WEC/WinCollectQRadar Microsoft Windows DSMQRadar Sysmon DSM (custom)

Required Tables

events

False Positives & Tuning

  • Windows crash dump collection (WerFault.exe, werfault.exe via WER service) legitimately opens PROCESS_ALL_ACCESS handles to faulting processes — add LOWER(SourceImage) NOT ILIKE '%werfault.exe' if generating excessive volume
  • Application performance monitoring agents (AppDynamics, Dynatrace, New Relic) may use cross-process memory APIs for bytecode instrumentation and profiling
  • Security tooling with deep kernel integration may load custom copies of ntdll.dll or system DLLs from product directories for API shimming — validate ImageLoaded paths against your security product install directories
Download portable Sigma rule (.yml)

Other platforms for T1106

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1NtAllocateVirtualMemory Direct Call via PowerShell P/Invoke

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'NtAllocateVirtualMemory'. MDE DeviceEvents: NtAllocateVirtualMemoryApiCall ActionType from the powershell.exe process. PowerShell ScriptBlock Log Event ID 4104: full script content including the DllImport declaration and the API call.

  2. Test 2Process Injection via NtCreateRemoteThread (C# Executable)

    Expected signal: Sysmon Event ID 8 (CreateRemoteThread): SourceImage=powershell.exe, TargetImage=notepad.exe, StartAddress pointing to null (suspended thread with null entry point). Sysmon Event ID 10 (ProcessAccess): SourceImage=powershell.exe, TargetImage=notepad.exe, GrantedAccess=0x1F0FFF. MDE DeviceEvents: CreateRemoteThreadApiCall with InitiatingProcessFileName=powershell.exe.

  3. Test 3API Unhooking — Remap ntdll.dll from Disk

    Expected signal: Sysmon Event ID 7 (ImageLoad): The ntdll.dll module is already loaded, but if the unhooking completed (in a real attack), a second load from a temp path would appear. PowerShell ScriptBlock Log Event ID 4104: full script showing ntdll.dll path access and byte comparison. MDE DeviceFileEvents: ReadFile operation on C:\Windows\System32\ntdll.dll from powershell.exe.

  4. Test 4Direct Syscall Execution via Inline Assembly (SysWhispers2-style)

    Expected signal: If compiled: Sysmon Event ID 1 (Process Create) for syscall_test.exe; Sysmon Event ID 11 (File Create) for the .exe in %TEMP%; MDE DeviceFileEvents for the VirtualAlloc RWX allocation. The byte pattern 4C 8B D1 B8 xx 00 00 00 0F 05 C3 in the allocated memory region is the direct syscall stub signature. If not compiled: PowerShell ScriptBlock Event ID 4104 captures the stub bytes for signature validation.

Last updated: 2026-04-17 Research depth: deep
References (13)

Unlock Pro Content

Get the full detection package for T1106 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1055Process InjectionT1055.001Dynamic-link Library InjectionT1055.002Portable Executable InjectionT1562.001Disable or Modify ToolsT1059.001PowerShellT1003.001LSASS MemoryT1134Access Token ManipulationT1027Obfuscated Files or InformationT1620Reflective Code Loading

Same Tactic: Execution

Popular Detections