MITRE Shield will be retired on October 18th in favor of MITRE Engage. To learn more, click here.

API Monitoring

Monitor local APIs that might be used by adversary tools and activity.

API Monitoring involves capturing an internal Operating System (OS) function for its usage, accompanying arguments, and result. When a defender captures this information, the intelligence gathered can be analyzed to gain insight into the activity of an adversary at a level deeper than normal system activity monitoring.

ID: DTE0003
Tactics:  Detect Collect Channel Test


DOS0027 There is an opportunity to create a detection with a moderately high probability of success.
DOS0028 There is an opportunity for the defender to observe the adversary and control what they can see, what effects they can have, and/or what data they can access.

Use Cases

DUC0031 A defender can monitor and analyze operating system functions calls for detection and alerting.
DUC0032 A defender can monitor operating system functions calls to look for adversary use and/or abuse.


DPR0005 Trace activity through WinSock TCP API functions to view potentially malicious network events. Log it such that it can be pushed to a centralized location and analyzed further.
DPR0006 Hook the Win32 DeleteFile() function to log all attempts at deleting a given file. This information can be used to trigger restoration attempts on critical data, reducing potential disruption if those files are unavailable for prolonged periods of time.

ATT&CK® Techniques

IDNameATT&CK Tactics
T1007 System Service Discovery Discovery
T1106 Native API Execution
T1140 Deobfuscate/Decode Files or Information Defense Evasion
T1218 Signed Binary Proxy Execution Defense Evasion
T1553 Subvert Trust Controls Defense Evasion
T1569 System Services Execution