1. Home
  2. ATT&CK Techniques
  3. T1106 Native API

T1106 Native API

Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.

Adversaries may abuse these OS API functions as a means of executing behaviors. Similar to Command and Scripting Interpreter, the native API and its hierarchy of interfaces provide mechanisms to interact with and utilize various components of a victimized system.

Native API functions (such as <code>NtCreateProcess</code>) may be directed invoked via system calls / syscalls, but these features are also often exposed to user-mode applications via interfaces and libraries.(Citation: OutFlank System Calls)(Citation: CyberBit System Calls)(Citation: MDSec System Calls) For example, functions such as the Windows API <code>CreateProcess()</code> or GNU <code>fork()</code> will allow programs and scripts to start other processes.(Citation: Microsoft CreateProcess)(Citation: GNU Fork) This may allow API callers to execute a binary, run a CLI command, load modules, etc. as thousands of similar API functions exist for various system operations.(Citation: Microsoft Win32)(Citation: LIBC)(Citation: GLIBC)

Higher level software frameworks, such as Microsoft .NET and macOS Cocoa, are also available to interact with native APIs. These frameworks typically provide language wrappers/abstractions to API functionalities and are designed for ease-of-use/portability of code.(Citation: Microsoft NET)(Citation: Apple Core Services)(Citation: MACOS Cocoa)(Citation: macOS Foundation)

Adversaries may use assembly to directly or in-directly invoke syscalls in an attempt to subvert defensive sensors and detection signatures such as user mode API-hooks.(Citation: Redops Syscalls) Adversaries may also attempt to tamper with sensors and defensive tools associated with API monitoring, such as unhooking monitored functions via Disable or Modify Tools.

View in MITRE ATT&CK®

NIST 800-53 Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CM-06 Configuration Settings mitigates T1106 Native API
SI-02 Flaw Remediation mitigates T1106 Native API
SI-03 Malicious Code Protection mitigates T1106 Native API
CM-02 Baseline Configuration mitigates T1106 Native API
CM-07 Least Functionality mitigates T1106 Native API
SI-04 System Monitoring mitigates T1106 Native API
AC-06 Least Privilege mitigates T1106 Native API

Known Exploited Vulnerabilities Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CVE-2025-31201 Apple Multiple Products Arbitrary Read and Write Vulnerability secondary_impact T1106 Native API
Comments
A strategic zero-click iMessage exploit chain (CVE-2025-31200 / 31201) has been reported as compromising targeted devices with Paragon's Graphite spyware. Observed impacts include Secure Enclave key exfiltration, silent wallet theft, C2 infrastructure, and persistent C2 communication.
References
  1. https://www.helpnetsecurity.com/2025/04/17/apple-plugs-zero-days-holes-used-in-targeted-iphone-attacks-cve-2025-31200-cve-2025-31201/
  2. https://otx.alienvault.com/pulse/68535107fa6c00d6f9ffbc84
CVE-2025-31200 Apple Multiple Products Memory Corruption Vulnerability secondary_impact T1106 Native API
Comments
A strategic zero-click iMessage exploit chain (CVE-2025-31200 / 31201) has been reported as compromising targeted devices with Paragon's Graphite spyware. Observed impacts include Secure Enclave key exfiltration, silent wallet theft, C2 infrastructure, and persistent C2 communication.
References
  1. https://www.helpnetsecurity.com/2025/04/17/apple-plugs-zero-days-holes-used-in-targeted-iphone-attacks-cve-2025-31200-cve-2025-31201/
  2. https://otx.alienvault.com/pulse/68535107fa6c00d6f9ffbc84
CVE-2023-1389 TP-Link Archer AX-21 Command Injection Vulnerability exploitation_technique T1106 Native API
Comments
CVE-2023-1389 is a command injection vulnerability in one of the API components within the TP-Link Archer router’s web management interface. Public reports have reported that multiple botnet malware under the Mirai variants, including Condi, are targeting these vulnerable devices.
References
  1. https://www.fortinet.com/blog/threat-research/botnets-continue-exploiting-cve-2023-1389-for-wide-scale-spread
  2. https://cybersecuritynews.com/hackers-exploiting-tp-link/
  3. https://www.bleepingcomputer.com/news/security/multiple-botnets-exploiting-one-year-old-tp-link-flaw-to-hack-routers/
CVE-2025-20337 Cisco Identity Services Engine Injection Vulnerability exploitation_technique T1106 Native API
Comments
This vulnerability, present in the API in Cisco ISE and Cisco ISE-PIC, allows for an attacker to use maliciously crafted API requests to a vulnerable device. If exploited, the attacker can gain the ability to execute arbitrary code at the root level.
References
  1. https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-ise-unauth-rce-ZAd2GnJ6.html
CVE-2025-20281 Cisco Identity Services Engine Injection Vulnerability exploitation_technique T1106 Native API
Comments
This vulnerability, present in the API in Cisco ISE and Cisco ISE-PIC, allows for an attacker to use maliciously crafted API requests to a vulnerable device. If exploited, the attacker can gain the ability to execute arbitrary code at the root level.
References
  1. https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-ise-unauth-rce-ZAd2GnJ6.html
CVE-2020-8657 EyesOfNetwork Use of Hard-Coded Credentials Vulnerability exploitation_technique T1106 Native API
Comments
CVE-2020-8657 identifies a security issue in EyesOfNetwork 5.3 that exposes a vulnerability in the API key implementation.
References
  1. https://www.clouddefense.ai/cve/2020/CVE-2020-8657
CVE-2024-20439 Cisco Smart Licensing Utility Static Credential Vulnerability primary_impact T1106 Native API
Comments
Due to static credentials found in Cisco Smart Licensing Utility, a remote, unauthenticated attacker can gain administrative access through the API.
References
  1. https://arcticwolf.com/resources/blog/cve-2024-20439-cve-2024-20440-critical-cisco-smart-licensing-utility-vulnerabilities/

VERIS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1106 Native API

Azure Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
microsoft_sentinel Microsoft Sentinel technique_scores T1106 Native API
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which includes a variety of enumeration modules that have an option to use API calls to carry out tasks, but does not address other procedures.
References
  1. https://learn.microsoft.com/en-us/azure/sentinel/overview
  2. https://learn.microsoft.com/en-us/azure/sentinel/hunting

GCP Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
google_secops Google Security Operations technique_scores T1106 Native API
Comments
Google Security Ops is able to trigger an alert for suspicious events related to the API (e.g., "API keys created for a project"). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/gcp_cloudaudit/gcp_no_project_api_keys.yaral
References
  1. ['https://cloud.google.com/security/products/security-operations'
  2. 'https://cloud.google.com/chronicle/docs/secops/secops-overview'
  3. 'https://github.com/chronicle/detection-rules']