Potential WinAPI Calls Via CommandLine

Severity: high
Author: Nasreddine Bencherchali (Nextron Systems)
Source: upstream

Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec

MITRE ATT&CK coverage

Tactic	Techniques
Execution	`T1106` Native API

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation
Security-Auditing	4688	A new process has been created.

Stages and Predicates

Stage 1: `selection`

or:
CommandLine|contains: AddSecurityPackage
CommandLine|contains: AdjustTokenPrivileges
CommandLine|contains: Advapi32
CommandLine|contains: CloseHandle
CommandLine|contains: CreateProcessWithToken
CommandLine|contains: CreatePseudoConsole
CommandLine|contains: CreateRemoteThread
CommandLine|contains: CreateThread
CommandLine|contains: CreateUserThread
CommandLine|contains: DangerousGetHandle
CommandLine|contains: DuplicateTokenEx
CommandLine|contains: EnumerateSecurityPackages
CommandLine|contains: FreeHGlobal
CommandLine|contains: FreeLibrary
CommandLine|contains: GetDelegateForFunctionPointer
CommandLine|contains: GetLogonSessionData
CommandLine|contains: GetModuleHandle
CommandLine|contains: GetProcAddress
CommandLine|contains: GetProcessHandle
CommandLine|contains: GetTokenInformation
CommandLine|contains: ImpersonateLoggedOnUser
CommandLine|contains: LoadLibrary
CommandLine|contains: MiniDumpWriteDump
CommandLine|contains: OpenDesktop
CommandLine|contains: OpenProcess
CommandLine|contains: OpenProcessToken
CommandLine|contains: OpenThreadToken
CommandLine|contains: OpenWindowStation
CommandLine|contains: PtrToString
CommandLine|contains: QueueUserApc
CommandLine|contains: ReadProcessMemory
CommandLine|contains: RevertToSelf
CommandLine|contains: RtlCreateUserThread
CommandLine|contains: SetThreadToken
CommandLine|contains: VirtualAlloc
CommandLine|contains: VirtualFree
CommandLine|contains: VirtualProtect
CommandLine|contains: WaitForSingleObject
CommandLine|contains: WriteInt32
CommandLine|contains: WriteProcessMemory
CommandLine|contains: ZeroFreeGlobalAllocUnicode
CommandLine|contains: kernel32
CommandLine|contains: memcpy
CommandLine|contains: ntdll
CommandLine|contains: secur32

Stage 2: `not 1 of filter_optional_*`

or:
or:
CommandLine|contains: CloseHandle
CommandLine|contains: FreeHGlobal
CommandLine|contains: PtrToString
CommandLine|contains: kernel32
ParentImage|endswith: '\CompatTelRunner.exe'
CommandLine|contains: GetLoadLibraryWAddress32
Image|endswith: '\MpCmdRun.exe'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`CommandLine`	match	`AddSecurityPackage` `AdjustTokenPrivileges` `Advapi32` `CloseHandle` `CreateProcessWithToken` `CreatePseudoConsole` `CreateRemoteThread` `CreateThread` `CreateUserThread` `DangerousGetHandle` `DuplicateTokenEx` `EnumerateSecurityPackages` `FreeHGlobal` `FreeLibrary` `GetDelegateForFunctionPointer` `GetLoadLibraryWAddress32` `GetLogonSessionData` `GetModuleHandle` `GetProcAddress` `GetProcessHandle` `GetTokenInformation` `ImpersonateLoggedOnUser` `LoadLibrary` `MiniDumpWriteDump` `OpenDesktop` `OpenProcess` `OpenProcessToken` `OpenThreadToken` `OpenWindowStation` `PtrToString` `QueueUserApc` `ReadProcessMemory` `RevertToSelf` `RtlCreateUserThread` `SetThreadToken` `VirtualAlloc` `VirtualFree` `VirtualProtect` `WaitForSingleObject` `WriteInt32` `WriteProcessMemory` `ZeroFreeGlobalAllocUnicode` `kernel32` `memcpy` `ntdll` `secur32`
`Image`	ends_with	`\MpCmdRun.exe` corpus 5 (sigma 5)
`ParentImage`	ends_with	`\CompatTelRunner.exe`