Monitor local APIs that might be used by adversary tools and activity.
API Monitoring involves capturing an internal Operating System (OS) function for its usage, accompanying arguments, and result. When a defender captures this information, the intelligence gathered can be analyzed to gain insight into the activity of an adversary at a level deeper than normal system activity monitoring.
|There is an opportunity to create a detection with a moderately high probability of success.
|There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access.
|A defender can monitor and analyze operating system functions calls for detection and alerting.
|A defender can monitor operating system functions calls to look for adversary use and/or abuse.
|Trace activity through WinSock TCP API functions to view potentially malicious network events. Log it such that it can be pushed to a centralized location and analyzed further.
|Hook the Win32 DeleteFile() function to log all attempts at deleting a given file. This information can be used to trigger restoration attempts on critical data, reducing potential disruption if those files are unavailable for prolonged periods of time.
|System Service Discovery
|Deobfuscate/Decode Files or Information
|Signed Binary Proxy Execution
|Subvert Trust Controls