Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec
title: Potential WinAPI Calls Via CommandLine
id: ba3f5c1b-6272-4119-9dbd-0bc8d21c2702
related:
- id: 03d83090-8cba-44a0-b02f-0b756a050306
type: derived
status: test
description: Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec
references:
- https://twitter.com/m417z/status/1566674631788007425
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-06
modified: 2025-03-06
tags:
- attack.execution
- attack.t1106
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- 'AddSecurityPackage'
- 'AdjustTokenPrivileges'
- 'Advapi32'
- 'CloseHandle'
- 'CreateProcessWithToken'
- 'CreatePseudoConsole'
- 'CreateRemoteThread'
- 'CreateThread'
- 'CreateUserThread'
- 'DangerousGetHandle'
- 'DuplicateTokenEx'
- 'EnumerateSecurityPackages'
- 'FreeHGlobal'
- 'FreeLibrary'
- 'GetDelegateForFunctionPointer'
- 'GetLogonSessionData'
- 'GetModuleHandle'
- 'GetProcAddress'
- 'GetProcessHandle'
- 'GetTokenInformation'
- 'ImpersonateLoggedOnUser'
- 'kernel32'
- 'LoadLibrary'
- 'memcpy'
- 'MiniDumpWriteDump'
# - 'msvcrt'
- 'ntdll'
- 'OpenDesktop'
- 'OpenProcess'
- 'OpenProcessToken'
- 'OpenThreadToken'
- 'OpenWindowStation'
- 'PtrToString'
- 'QueueUserApc'
- 'ReadProcessMemory'
- 'RevertToSelf'
- 'RtlCreateUserThread'
- 'secur32'
- 'SetThreadToken'
# - 'user32'
- 'VirtualAlloc'
- 'VirtualFree'
- 'VirtualProtect'
- 'WaitForSingleObject'
- 'WriteInt32'
- 'WriteProcessMemory'
- 'ZeroFreeGlobalAllocUnicode'
filter_optional_mpcmdrun:
Image|endswith: '\MpCmdRun.exe'
CommandLine|contains: 'GetLoadLibraryWAddress32'
filter_optional_compatTelRunner:
ParentImage|endswith: '\CompatTelRunner.exe'
CommandLine|contains:
- 'FreeHGlobal'
- 'PtrToString'
- 'kernel32'
- 'CloseHandle'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Some legitimate action or applications may use these functions. Investigate further to determine the legitimacy of the activity.
level: high
imProcessCreate
| where (TargetProcessCommandLine contains "AddSecurityPackage" or TargetProcessCommandLine contains "AdjustTokenPrivileges" or TargetProcessCommandLine contains "Advapi32" or TargetProcessCommandLine contains "CloseHandle" or TargetProcessCommandLine contains "CreateProcessWithToken" or TargetProcessCommandLine contains "CreatePseudoConsole" or TargetProcessCommandLine contains "CreateRemoteThread" or TargetProcessCommandLine contains "CreateThread" or TargetProcessCommandLine contains "CreateUserThread" or TargetProcessCommandLine contains "DangerousGetHandle" or TargetProcessCommandLine contains "DuplicateTokenEx" or TargetProcessCommandLine contains "EnumerateSecurityPackages" or TargetProcessCommandLine contains "FreeHGlobal" or TargetProcessCommandLine contains "FreeLibrary" or TargetProcessCommandLine contains "GetDelegateForFunctionPointer" or TargetProcessCommandLine contains "GetLogonSessionData" or TargetProcessCommandLine contains "GetModuleHandle" or TargetProcessCommandLine contains "GetProcAddress" or TargetProcessCommandLine contains "GetProcessHandle" or TargetProcessCommandLine contains "GetTokenInformation" or TargetProcessCommandLine contains "ImpersonateLoggedOnUser" or TargetProcessCommandLine contains "kernel32" or TargetProcessCommandLine contains "LoadLibrary" or TargetProcessCommandLine contains "memcpy" or TargetProcessCommandLine contains "MiniDumpWriteDump" or TargetProcessCommandLine contains "ntdll" or TargetProcessCommandLine contains "OpenDesktop" or TargetProcessCommandLine contains "OpenProcess" or TargetProcessCommandLine contains "OpenProcessToken" or TargetProcessCommandLine contains "OpenThreadToken" or TargetProcessCommandLine contains "OpenWindowStation" or TargetProcessCommandLine contains "PtrToString" or TargetProcessCommandLine contains "QueueUserApc" or TargetProcessCommandLine contains "ReadProcessMemory" or TargetProcessCommandLine contains "RevertToSelf" or TargetProcessCommandLine contains "RtlCreateUserThread" or TargetProcessCommandLine contains "secur32" or TargetProcessCommandLine contains "SetThreadToken" or TargetProcessCommandLine contains "VirtualAlloc" or TargetProcessCommandLine contains "VirtualFree" or TargetProcessCommandLine contains "VirtualProtect" or TargetProcessCommandLine contains "WaitForSingleObject" or TargetProcessCommandLine contains "WriteInt32" or TargetProcessCommandLine contains "WriteProcessMemory" or TargetProcessCommandLine contains "ZeroFreeGlobalAllocUnicode") and (not(((TargetProcessName endswith "\\MpCmdRun.exe" and TargetProcessCommandLine contains "GetLoadLibraryWAddress32") or ((ParentProcessName endswith "\\CompatTelRunner.exe" or ActingProcessName endswith "\\CompatTelRunner.exe") and (TargetProcessCommandLine contains "FreeHGlobal" or TargetProcessCommandLine contains "PtrToString" or TargetProcessCommandLine contains "kernel32" or TargetProcessCommandLine contains "CloseHandle")))))| Sentinel Table | Notes |
|---|---|
imProcessCreate | Ensure this data connector is enabled |