Potential WinAPI Calls Via CommandLine

calendar Aug 12, 2024 · attack.execution attack.t1106  ·
Share on: linkedin copy

Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec

Sigma rule (View on GitHub)

 1title: Potential WinAPI Calls Via CommandLine
 2id: ba3f5c1b-6272-4119-9dbd-0bc8d21c2702
 3related:
 4    - id: 03d83090-8cba-44a0-b02f-0b756a050306
 5      type: derived
 6status: test
 7description: Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec
 8references:
 9    - https://twitter.com/m417z/status/1566674631788007425
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2022-09-06
12modified: 2023-01-09
13tags:
14    - attack.execution
15    - attack.t1106
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection:
21        CommandLine|contains:
22            - 'AddSecurityPackage'
23            - 'AdjustTokenPrivileges'
24            - 'Advapi32'
25            - 'CloseHandle'
26            - 'CreateProcessWithToken'
27            - 'CreatePseudoConsole'
28            - 'CreateRemoteThread'
29            - 'CreateThread'
30            - 'CreateUserThread'
31            - 'DangerousGetHandle'
32            - 'DuplicateTokenEx'
33            - 'EnumerateSecurityPackages'
34            - 'FreeHGlobal'
35            - 'FreeLibrary'
36            - 'GetDelegateForFunctionPointer'
37            - 'GetLogonSessionData'
38            - 'GetModuleHandle'
39            - 'GetProcAddress'
40            - 'GetProcessHandle'
41            - 'GetTokenInformation'
42            - 'ImpersonateLoggedOnUser'
43            - 'kernel32'
44            - 'LoadLibrary'
45            - 'memcpy'
46            - 'MiniDumpWriteDump'
47            # - 'msvcrt'
48            - 'ntdll'
49            - 'OpenDesktop'
50            - 'OpenProcess'
51            - 'OpenProcessToken'
52            - 'OpenThreadToken'
53            - 'OpenWindowStation'
54            - 'PtrToString'
55            - 'QueueUserApc'
56            - 'ReadProcessMemory'
57            - 'RevertToSelf'
58            - 'RtlCreateUserThread'
59            - 'secur32'
60            - 'SetThreadToken'
61            # - 'user32'
62            - 'VirtualAlloc'
63            - 'VirtualFree'
64            - 'VirtualProtect'
65            - 'WaitForSingleObject'
66            - 'WriteInt32'
67            - 'WriteProcessMemory'
68            - 'ZeroFreeGlobalAllocUnicode'
69    filter_optional_mpcmdrun:
70        Image|endswith: '\MpCmdRun.exe'
71        CommandLine|contains: 'GetLoadLibraryWAddress32'
72    condition: selection and not 1 of filter_optional_*
73falsepositives:
74    - Unknown
75level: high

References

Related rules

to-top