Monitor local APIs that might be used by adversary tools and activity.
API Monitoring involves capturing an internal Operating System (OS) function for its usage, accompanying arguments, and result. When a defender captures this information, the intelligence gathered can be analyzed to gain insight into the activity of an adversary at a level deeper than normal system activity monitoring.
|DOS0027||There is an opportunity to create a detection with a moderately high probability of success.|
|DOS0028||There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access.|
|DUC0031||A defender can monitor and analyze operating system functions calls for detection and alerting.|
|DUC0032||A defender can monitor operating system functions calls to look for adversary use and/or abuse.|
|DPR0005||Trace activity through WinSock TCP API functions to view potentially malicious network events. Log it such that it can be pushed to a centralized location and analyzed further.|
|DPR0006||Hook the Win32 DeleteFile() function to log all attempts at deleting a given file. This information can be used to trigger restoration attempts on critical data, reducing potential disruption if those files are unavailable for prolonged periods of time.|
|T1007||System Service Discovery||Discovery|
|T1140||Deobfuscate/Decode Files or Information||Defense Evasion|
|T1218||Signed Binary Proxy Execution||Defense Evasion|
|T1553||Subvert Trust Controls||Defense Evasion|