Graylog GO logo

MITRE ATT&CK: API-based Enterprise Techniques and Sub-techniques

Imagine you have a backpack with a granola bar buried at the bottom and a tenacious tiny dog who loves snacks. Even though the dog shouldn’t be able to reach that granola bar stored away carefully, it managed to open a zipper and snoop through the contents to eat the snack.

 

From an IT environment standpoint, Application Programming Interfaces (APIs) are the backpack carrying sensitive – but appealing to attackers – data. Threat actors are persistent snoops trying to gain access to the sensitive data that APIs transmit.

 

By understanding the MITRE ATT&CK API-based techniques, organizations can improve their overall security posture.

 

What are ATT&CK Techniques?

ATT&CK Techniques explain different ways that malicious actors achieve their objectives. These focus on the actions that enable them to succeed. The Techniques give you the “how” of the attack to help you look for security gaps.

 

What are the Enterprise API Techniques and Mitigations?

The ATT&CK Enterprise Matrix focuses on Tactic and Techniques for the types of technologies organizations tend to include in their environments, like:

  • Windows
  • macOS
  • Linux
  • PRE
  • Azure AD
  • Office 365
  • Google Workspace
  • Software-as-a-Service (SaaS)
  • Infrastructure-as-a-Service (IaaS)
  • Network
  • Containers

 

Native API, Technique T1106 – Enterprise

The Native API Technique involves adversaries using native operating system (OS) APIs to call low-level services for:

  • Hardware
  • Memory
  • Processes

Typically, the OS uses these APIs during system boot or when carrying out routine operations. Malicious actors may use these APIs to:

  • Evade detection
  • Tamper with sensors or defensive tools

 

Mitigations include:

  • Enabling Attack Surface Reduction (ASR) rules on Windows 10
  • Using application control tools to identify and block potentially malicious software executed (application whitelisting)

 

Detections include monitoring:

  • DLL/PE file events, especially binary file creation and DLL loading into processes
  • Correlating API function call behavior with process ID and process lineage activity

 

Input Capture: Credential API Hooking, Sub-technique T1056.004 – Enterprise

Credential API Hooking sub-technique is where malicious actors capture API calls containing user authentication parameters. Specific to API functions, hooking redirects calls and can use any of the following:

  • Hooks procedures: the process that translates data for the API
  • Import address table (IAT) hooking: table pointers replaced with hook procedure pointers so the original function’s executable directs to a hooked procedure
  • Inline hooking: overwritten target function bytes executing the hook procedure first

 

While ATT&CK notes that preventive controls are not usually available, it notes that the detections include monitoring:

  • API calls to the SetWindowsHookEx and SetWinEventHook functions
  • Hook chains
  • Verifying life process integrity by comparing in-memory code to corresponding static binaries

 

Unsecured Credentials: Container API, Sub-technique T1552.007 – Enterprise

The Container API sub-technique is where malicious actors collect credentials within a container’s environment. Typically, users remotely manage container resources and cluster components with these APIs. Malicious actors may use this sub-technique against:

  • Docker APIs: collect logs containing cloud, container, and resource credentials
  • Kubernetes API: retrieve credentials from the server, including those related to Docker API authentication or cluster component secrets

 

Mitigations include:

  • Limiting container service communications to managed and secured channels
  • Disabling unauthenticated access to the Docker API and Kubernetes API Server
  • Restricting IP ranges that can access the API server
  • Enabling just-in-time (JIT) access to Kubernetes API
  • Implementing network proxies, gateways, and firewalls to deny direct remote access
  • Implementing principle of least privilege for privileged accounts, like the Kubernetes service account
  • Enforcing authentication and role-based access control (RBAC) on the API

 

Detections include:

  • Establishing centralized logging for container and Kubernetes cluster components
  • Monitoring logs for actions that could gather container and cloud infrastructure credentials, including discovery of new or unexpected users making API calls or APIs accessing Docker logs
  • Monitoring abnormal user activity

 

Obfuscated Files or Information: Dynamic API Resolution, Sub-technique T127.007 – Enterprise

The Dynamic API Resolution sub-technique is where threat actors hide their malware’s malicious functionality by using dynamic API resolution to change file signatures, evading detection until after the calls are resolved or invoked during runtime.

 

While ATT&CK notes that preventive controls are not usually available, it notes that the detections include monitoring:

  • File metadata to identify file-based signatures that can detect dynamic resolution
  • Module loads, especially ones not explicitly included in import tables
  • Calls associated with dynamically loading API functions, like GetProcAddress() or LoadLibrary()

 

Command and Scripting Interpreter: Cloud API, Sub-technique T1059.009 – Enterprise

The Cloud API sub-technique is where malicious actors use cloud APIs to try to gain administrative access across:

  • Compute
  • Storage
  • Identity and Access Management (IAM)
  • Networking
  • Security policies

 

They can compromise these APIIs in different ways, including through:

  • Command line interpreters (CLIs)
  • In-browser CLoud SHells
  • PowerShell modules
  • Software developer kits (SDKs)

 

Mitigations include:

  • Blocking PowerShell CmdLets or other host-based resources with application controls
  • Limiting administrator activity by combining administrative history with robust IAM and RBAC controls

 

Detections include:

  • Reviewing host machine or cloud audit log command history for unauthorized or suspicious commands
  • Logging Cloud API activity and reviewing executed API command sources
  • Reviewing host logs for CLI commands or PowerShell module usage invoking Cloud API functions

 

Unsecured Credentials: Cloud Instance Metadata API, Sub-technique T1552.005 – Enterprise

The Cloud Instance Metadata API sub-technique is where malicious actors compromise the API that cloud service providers supply to customers running virtual instances. The CLoud Instance Metadata API enables applications to access information about he virtual instances, including:

  • Name
  • Security group
  • Credentials
  • UserData scripts containing secrets

 

Across cloud service providers, the Instance Metadata API is http[:]//169.254.169.254, making it easier for them to query if they have a presence on the running virtual instance.

 

Mitigations include:

  • Disabling unnecessary metadata services
  • Restricting or disabling insecure version of metadata services
  • Limiting Instance Metadata API access
  • Configuring a Web Application Firewall (WAF) to mitigate Server-Side Request Forgery (SSRF) attack that could potentially allow access to the Cloud Instance Metadata API
  • Using a host-based firewall to limit access to the Instance Metadata API

 

Detections include:

  • Reviewing host machine or cloud audit log command history for unauthorized or suspicious commands
  • Logging Cloud API activity and reviewing executed API command sources
  • Reviewing host logs for CLI commands or PowerShell module usage invoking Cloud API functions

 

Graylog API Security: Integrating API Monitoring into Threat Detection and Incident Response

Graylog API Security is continuous API security, scanning all API traffic at runtime for active attacks and threats. Mapped to security and quality rules, Graylog API Security captures complete request and response detail, creating a readily accessible datastore for attack detection, fast triage, and threat intelligence.

 

With visibility inside the perimeter, organizations can detect attack traffic from valid users before it reaches their applications. Graylog API Security captures details to immediately identify valid traffic from malicious actions, adding active API intelligence to your security stack. Think of it as a “security analyst in-a-box,” automating API security by detecting and alerting on zero-day attacks and threats.

 

Our pre-configured signatures identify common threats and API failures and integrate with communication tools like Slack, Teams, Gchat, JIRA or via webhooks.

Get the Monthly Tech Blog Roundup

Subscribe to the latest in log management, security, and all things Graylog blog delivered to your inbox once a month.