Skip to content

DET0529 Behavioral Detection of Native API Invocation via Unusual DLL Loads and Direct Syscalls

Item Value
ID DET0529
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1106 (Native API)

Analytics

Windows

AN1465

Unusual or suspicious processes loading critical native API DLLs (e.g., ntdll.dll, kernel32.dll) followed by direct syscall behavior, memory manipulation, or hollowing.

Log Sources
Data Component Name Channel
Module Load (DC0016) WinEventLog:Sysmon EventCode=7
Process Access (DC0035) WinEventLog:Sysmon EventCode=10
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Mutable Elements
Field Description
DllName May tune DLL filters to focus on low-level API providers (e.g., ntdll.dll)
Image Tune for expected parent processes (e.g., explorer.exe, winlogon.exe)
TargetProcess Scope to suspicious targets like LSASS, csrss, etc.

Linux

AN1466

Userland processes invoking syscall-heavy libraries (libc, glibc) followed by fork, mmap, or ptrace behavior commonly associated with code injection or memory manipulation.

Log Sources
Data Component Name Channel
Process Access (DC0035) auditd:SYSCALL execve, fork, mmap, ptrace
Module Load (DC0016) auditd:SYSCALL module load or memory map path
Mutable Elements
Field Description
SyscallType Filter for fork, mmap, ptrace based on context
ProcessName Whitelist known daemon and scheduled task patterns
MAPS Path Tune suspicious memory map regions (e.g., /tmp/.evilshmem)

macOS

AN1467

Execution of processes that link to CoreServices or Foundation APIs followed by creation of memory regions, code execution, or abnormal library injection.

Log Sources
Data Component Name Channel
Module Load (DC0016) macos:unifiedlog launch and dylib load
Process Creation (DC0032) macos:endpointsecurity ES_EVENT_TYPE_NOTIFY_EXEC
Mutable Elements
Field Description
API Framework Name Filter on CoreServices, Cocoa, Foundation framework usage
Execution Context Tune to exclude known developer tools or test environments