T0834 Native API
Adversaries may directly interact with the native OS application programming interface (API) to access system functions. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes. 1 These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Functionality provided by native APIs are often also exposed to user-mode applications via interfaces and libraries. For example, functions such as memcpy and direct operations on memory registers can be used to modify user and system memory space.
| Item | Value |
|---|---|
| ID | T0834 |
| Sub-techniques | |
| Tactics | TA0104 |
| Platforms | Control Server, Data Historian, Field Controller/RTU/PLC/IED, Human-Machine Interface, Input/Output Server, Safety Instrumented System/Protection Relay |
| Version | 1.0 |
| Created | 13 April 2021 |
| Last Modified | 09 March 2023 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S1006 | PLC-Blaster | PLC-Blaster uses the system function blocks TCON and TDISCON to initiate and destroy TCP connections to arbitrary systems. Buffers may be sent and received on these connections with TRCV und TSEND system function blocks. 3 |
| S0603 | Stuxnet | Stuxnet calls system function blocks which are part of the operating system running on the PLC. Theyre used to execute system tasks, such as reading the system clock (SFC1) and generating data blocks on the fly. 2 |
| S1009 | Triton | Triton‘s imain.bin payload takes commands from the TsHi.ExplReadRam(Ex), TsHi.ExplWriteRam(Ex) and TsHi.ExplExec functions to perform operations on controller memory and registers using syscalls written in PowerPC shellcode. 4 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M0938 | Execution Prevention | Minimize the exposure of API calls that allow the execution of code. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0009 | Process | OS API Execution |
References
-
The MITRE Corporation 2017, May 31 ATT&CK T1106: Native API Retrieved. 2021/04/26 ↩
-
Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ↩
-
Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ↩
-
Jos Wetzels 2018, January 16 Analyzing the TRITON industrial malware Retrieved. 2019/10/22 ↩