Techniques
Sample rules
Potential WinAPI Calls Via CommandLine
- source: sigma
- technicques:
- t1106
Description
Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec
Detection logic
condition: selection and not 1 of filter_optional_*
filter_optional_compatTelRunner:
CommandLine|contains:
- FreeHGlobal
- PtrToString
- kernel32
- CloseHandle
ParentImage|endswith: \CompatTelRunner.exe
filter_optional_mpcmdrun:
CommandLine|contains: GetLoadLibraryWAddress32
Image|endswith: \MpCmdRun.exe
selection:
CommandLine|contains:
- AddSecurityPackage
- AdjustTokenPrivileges
- Advapi32
- CloseHandle
- CreateProcessWithToken
- CreatePseudoConsole
- CreateRemoteThread
- CreateThread
- CreateUserThread
- DangerousGetHandle
- DuplicateTokenEx
- EnumerateSecurityPackages
- FreeHGlobal
- FreeLibrary
- GetDelegateForFunctionPointer
- GetLogonSessionData
- GetModuleHandle
- GetProcAddress
- GetProcessHandle
- GetTokenInformation
- ImpersonateLoggedOnUser
- kernel32
- LoadLibrary
- memcpy
- MiniDumpWriteDump
- ntdll
- OpenDesktop
- OpenProcess
- OpenProcessToken
- OpenThreadToken
- OpenWindowStation
- PtrToString
- QueueUserApc
- ReadProcessMemory
- RevertToSelf
- RtlCreateUserThread
- secur32
- SetThreadToken
- VirtualAlloc
- VirtualFree
- VirtualProtect
- WaitForSingleObject
- WriteInt32
- WriteProcessMemory
- ZeroFreeGlobalAllocUnicode