title: Native API (T1106)
id: df00tech-t1106
status: experimental
description: "Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes. Adversaries abuse these APIs to execute code while bypassing higher-level defensive sensors, AMSI, and user-mode API hooks. Common attack patterns include: direct syscall invocation (bypassing ntdll.dll hooks entirely), process injection via NT memory APIs (NtAllocateVirtualMemory, NtWriteVirtualMemory, NtCreateThreadEx, RtlCreateUserThread), API unhooking by re-mapping a clean copy of ntdll.dll from disk, and spawning processes via NtCreateProcess or NtCreateProcessEx rather than the standard Win32 CreateProcess. Real-world actors including Cobalt Strike, Medusa Group, and tools like SysWhispers leverage direct syscalls specifically to evade EDR user-mode hooks."
references:
  - https://attack.mitre.org/techniques/T1106/
  - https://df00tech.com/detections/T1106
author: df00tech
date: 2026/04/17
tags:
  - attack.t1106
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Endpoint security products (AV, EDR, DLP agents) that legitimately use process injection for in-memory scanning or API hooking — exclude by InitiatingProcessFileName matching known security vendor executables"
  - "Game anti-cheat engines (BattlEye, EasyAntiCheat, Vanguard) that inject into game processes for integrity monitoring — baseline these on gaming workstations"
  - Software DRM and licensing systems that use code injection to verify license state at runtime
  - "Legitimate debuggers (WinDbg, x64dbg, Visual Studio debugger) that use NtOpenProcess and write memory for debugging — expected on developer machines"
  - "Virtualization and sandboxing tools (VMware Tools, VirtualBox Guest Additions) that load modified ntdll copies or interact with process memory for guest-host communication"
level: high