MITRE Shield will be retired on October 18th in favor of MITRE Engage. To learn more, click here.
API Monitoring
Monitor local APIs that might be used by adversary tools and activity.
API Monitoring involves capturing an internal Operating System (OS) function for its usage, accompanying arguments, and result. When a defender captures this information, the intelligence gathered can be analyzed to gain insight into the activity of an adversary at a level deeper than normal system activity monitoring.
Opportunities
| ID | Description |
|---|---|
| DOS0027 | There is an opportunity to create a detection with a moderately high probability of success. |
| DOS0028 | There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access. |
Use Cases
| ID | Description |
|---|---|
| DUC0031 | A defender can monitor and analyze operating system functions calls for detection and alerting. |
| DUC0032 | A defender can monitor operating system functions calls to look for adversary use and/or abuse. |
Procedures
| ID | Description |
|---|---|
| DPR0005 | Trace activity through WinSock TCP API functions to view potentially malicious network events. Log it such that it can be pushed to a centralized location and analyzed further. |
| DPR0006 | Hook the Win32 DeleteFile() function to log all attempts at deleting a given file. This information can be used to trigger restoration attempts on critical data, reducing potential disruption if those files are unavailable for prolonged periods of time. |
ATT&CK® Techniques
ID | Name | ATT&CK Tactics |
|---|---|---|
| T1007 | System Service Discovery | Discovery |
| T1106 | Native API | Execution |
| T1140 | Deobfuscate/Decode Files or Information | Defense Evasion |
| T1218 | Signed Binary Proxy Execution | Defense Evasion |
| T1553 | Subvert Trust Controls | Defense Evasion |
| T1569 | System Services | Execution |