Detect Native API in Microsoft Sentinel
Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes. Adversaries abuse these APIs to execute code while bypassing higher-level defensive sensors, AMSI, and user-mode API hooks. Common attack patterns include: direct syscall invocation (bypassing ntdll.dll hooks entirely), process injection via NT memory APIs (NtAllocateVirtualMemory, NtWriteVirtualMemory, NtCreateThreadEx, RtlCreateUserThread), API unhooking by re-mapping a clean copy of ntdll.dll from disk, and spawning processes via NtCreateProcess or NtCreateProcessEx rather than the standard Win32 CreateProcess. Real-world actors including Cobalt Strike, Medusa Group, and tools like SysWhispers leverage direct syscalls specifically to evade EDR user-mode hooks.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1106 Native API
- Canonical reference
- https://attack.mitre.org/techniques/T1106/
KQL Detection Query
// T1106 — Native API abuse: cross-process injection and direct NT API usage
// Signal 1: CreateRemoteThread API calls from suspicious initiating processes
let HighRiskParents = dynamic(["winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe",
"mshta.exe", "wscript.exe", "cscript.exe", "regsvr32.exe", "rundll32.exe",
"msiexec.exe", "werfault.exe", "explorer.exe"]);
let ProtectedTargets = dynamic(["lsass.exe", "csrss.exe", "winlogon.exe", "smss.exe", "wininit.exe"]);
let TrustedSecurityTools = dynamic(["MsMpEng.exe", "SenseIR.exe", "SenseCnC.exe", "kavtray.exe",
"bdservicehost.exe", "CylanceSvc.exe", "cb.exe"]);
let InjectionEvents =
DeviceEvents
| where Timestamp > ago(24h)
| where ActionType in~ ("CreateRemoteThreadApiCall", "MemoryRemoteProtect",
"NtAllocateVirtualMemoryApiCall", "InjectIntoProcess")
| extend TargetProcess = tostring(AdditionalFields.TargetProcessName)
| extend GrantedAccess = tostring(AdditionalFields.GrantedAccess)
| where
// Office/script interpreters injecting into anything
InitiatingProcessFileName has_any (HighRiskParents)
// Any process injecting into security-critical system processes
or (TargetProcess has_any (ProtectedTargets)
and not (InitiatingProcessFileName has_any (TrustedSecurityTools)))
| extend Signal = "cross_process_injection"
| project Timestamp, DeviceName, AccountName, Signal, ActionType,
InitiatingProcessFileName, InitiatingProcessCommandLine,
InitiatingProcessParentFileName, TargetProcess, GrantedAccess,
InitiatingProcessId, AdditionalFields;
// Signal 2: ntdll.dll loaded from non-standard path (API unhooking technique)
let UnhookingEvents =
DeviceImageLoadEvents
| where Timestamp > ago(24h)
| where FileName =~ "ntdll.dll"
| where not (FolderPath has_any ("\\Windows\\System32\\", "\\Windows\\SysWOW64\\",
"\\Windows\\WinSxS\\"))
| extend Signal = "ntdll_unhooking"
| project Timestamp, DeviceName, AccountName, Signal,
ActionType = "ImageLoad", InitiatingProcessFileName,
InitiatingProcessCommandLine, InitiatingProcessParentFileName,
TargetProcess = "", GrantedAccess = "",
InitiatingProcessId, AdditionalFields = todynamic(pack("DllPath", FolderPath));
union InjectionEvents, UnhookingEvents
| sort by Timestamp descDetects Native API abuse through two complementary signals. Signal 1 monitors DeviceEvents for cross-process injection ActionTypes (CreateRemoteThreadApiCall, MemoryRemoteProtect, NtAllocateVirtualMemoryApiCall, InjectIntoProcess) where the initiating process is a high-risk Office/script interpreter or the target is a protected system process such as lsass.exe. Signal 2 monitors DeviceImageLoadEvents for ntdll.dll being loaded from non-standard filesystem locations, which is a reliable indicator of API unhooking (adversaries map a clean ntdll copy to bypass EDR hooks). Results are unioned to give analysts a single view of native API abuse activity.
Data Sources
Required Tables
False Positives & Tuning
- Endpoint security products (AV, EDR, DLP agents) that legitimately use process injection for in-memory scanning or API hooking — exclude by InitiatingProcessFileName matching known security vendor executables
- Game anti-cheat engines (BattlEye, EasyAntiCheat, Vanguard) that inject into game processes for integrity monitoring — baseline these on gaming workstations
- Software DRM and licensing systems that use code injection to verify license state at runtime
- Legitimate debuggers (WinDbg, x64dbg, Visual Studio debugger) that use NtOpenProcess and write memory for debugging — expected on developer machines
- Virtualization and sandboxing tools (VMware Tools, VirtualBox Guest Additions) that load modified ntdll copies or interact with process memory for guest-host communication
Other platforms for T1106
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1NtAllocateVirtualMemory Direct Call via PowerShell P/Invoke
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'NtAllocateVirtualMemory'. MDE DeviceEvents: NtAllocateVirtualMemoryApiCall ActionType from the powershell.exe process. PowerShell ScriptBlock Log Event ID 4104: full script content including the DllImport declaration and the API call.
- Test 2Process Injection via NtCreateRemoteThread (C# Executable)
Expected signal: Sysmon Event ID 8 (CreateRemoteThread): SourceImage=powershell.exe, TargetImage=notepad.exe, StartAddress pointing to null (suspended thread with null entry point). Sysmon Event ID 10 (ProcessAccess): SourceImage=powershell.exe, TargetImage=notepad.exe, GrantedAccess=0x1F0FFF. MDE DeviceEvents: CreateRemoteThreadApiCall with InitiatingProcessFileName=powershell.exe.
- Test 3API Unhooking — Remap ntdll.dll from Disk
Expected signal: Sysmon Event ID 7 (ImageLoad): The ntdll.dll module is already loaded, but if the unhooking completed (in a real attack), a second load from a temp path would appear. PowerShell ScriptBlock Log Event ID 4104: full script showing ntdll.dll path access and byte comparison. MDE DeviceFileEvents: ReadFile operation on C:\Windows\System32\ntdll.dll from powershell.exe.
- Test 4Direct Syscall Execution via Inline Assembly (SysWhispers2-style)
Expected signal: If compiled: Sysmon Event ID 1 (Process Create) for syscall_test.exe; Sysmon Event ID 11 (File Create) for the .exe in %TEMP%; MDE DeviceFileEvents for the VirtualAlloc RWX allocation. The byte pattern 4C 8B D1 B8 xx 00 00 00 0F 05 C3 in the allocated memory region is the direct syscall stub signature. If not compiled: PowerShell ScriptBlock Event ID 4104 captures the stub bytes for signature validation.
References (13)
- https://attack.mitre.org/techniques/T1106/
- https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/
- https://redops.at/en/blog/direct-syscalls-vs-indirect-syscalls
- https://www.cyberbit.com/blog/endpoint-security/malware-mitigation-when-direct-system-calls-are-used/
- https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/
- https://github.com/jthuraisamy/SysWhispers2
- https://github.com/klezVirus/SysWhispers3
- https://undocumented.ntinternals.net/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md
- https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createremotethread
- https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
- https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights
- https://security.stackexchange.com/questions/270586/direct-system-calls-detection-edr
Unlock Pro Content
Get the full detection package for T1106 including response playbook, investigation guide, and atomic red team tests.