Monitor local APIs that might be used by adversary tools and activity.
API Monitoring involves capturing an internal OS function for its usage, accompanying arguments, and result. When a defender captures this information, the data gathered can be analyzed to gain insights into the activity of an adversary at a level deeper than normal system activity monitoring. This type of monitoring can also be used to produce high-fidelity detections. For example, the defender can trace activity through WinSock TCP API functions to view potentially malicious network events or trace usage of the Win32 DeleteFile() function to log all attempts at deleting a given file.
|ATT&CK® Tactics||Adversary Vulnerability Presented|
|Privilege Escalation, Command and Control, Discovery, Defense Evasion, Execution, Persistence, Impact||When adversaries utilize or abuse system features, software, or other resources, they may be vulnerable to monitoring or Man-in-the-Middle manipulation|
|Impact, Initial Access||When adversaries interact with network or system resources they are vulnerable to trigger tripwires or engage in easily detectable, anomalous behavior|
|Discovery||When adversaries interact with the environment or personas, they are vulnerable when they collect, observe or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time.|