hello and welcome to another application of the minor attack framework discussion Today. We're looking at execution through a P I as an attack vector in the execution phase. So let's go ahead and jump right into our objectives.
So today we're going to look at what is execution through a P I. We're going to look at some tools that are used in this particular method. We're gonna look at some mitigation techniques and some detection techniques as well. So what? That let's go ahead and jump right in
now execution through a p I. So these attacks involved the use of tools that may directly use the Windows Application programming interface to execute binaries. And so
we've probably heard of. I'm sure you've heard off using a P eyes to communicate between systems as well as between Web applications
and things of that nature. We're doing a P. I calls with you RL's and things of that nature.
This is focusing on the Windows application programming interface with respect to the execution of binaries. And so some examples of a P I calls it can be used to execute binaries are as given now. This list isn't all inclusive
but create process. A and W create processes user create processes user w love library on load module So these could be beneficial and executing scripts and things of that nature when AP eyes are
a part of attacking and generally
it's again when we're looking at the attack vectors and we're talking about the attack vectors,
a user may execute a fishing attachment or spearfishing attachment that results in command. Long calls that result in a P I actions or something of that nature,
so these could be compounded. And each of these vectors is not a one for one. You may have lateral movement as well as movement up and down through a particular phase as well.
Now, when we look at tools used, this is some tools that are used by a particular threat group eso boost right loader is essentially a loader created to be launched via,
uh, the abuse of the DLL search order of applications. And so the application loads several libraries and finally loads d
Right now this causes the import of a malicious DLL that is then used to load an instance of thedc are Banach Backdoor, another tool that we have here is already F sniffer
module, which is loaded by a boost. Right? It will hook Win 32 AP I functions and can be used to hijack elements of NCR Ola Ah Lo, a command center. There's also a backdoor component that enables it to inject commands into an active already have clients session now
some other components of this tool. It also allows for the uploading and downloading of files on systems. And so if there are particular files that the Threat actor would be after, they could potentially load some of those files as well. Now, when we talk about mitigation techniques,
really within the respect to these a PS and things that nature
identify and block malicious payloads of software through execution prevention methods. And so this convey be things such as an A virus that can be things such as, um,
intrusion, prevention systems and things that nature that will look essentially for suspicious activity and then will attempt to block then activity based on what is known malicious
with respect to AP eyes because they're so as far as within Windows because they're used so much in the way software works in the way the systems work. It wouldn't make sense to long activity of
every AP I or every call on the window system. It would overwhelm your logs, and it would make it very tedious to inspect this information
and so which you would want to do, is utilize intrusion prevention and detection systems to do correlation essentially around events that could be potentially malicious in nature involving Windows AP Ah, So instead of looking at single events,
you would really want to take multiple events at a time that looks suspicious or seemed to be, ah, signature of a particular type of attack.
And then you would investigate that information and see if it is, in fact, malicious.
Now let's do a quick check on learning true or false execution through a B a p. I is concerning the use of the Windows application programming interface.
All right, well, if you need some additional time, police, go ahead and pause the video and take a moment. Now this statement is true. So with respect to a P I execution in this case, minor talks about being Windows application programming interface. And so
we're not talking Web. AP eyes and things of that nature. Right now, it's strictly focusing on Windows application programming interface. And so, in this case, the statement given is true. So let's go ahead and jump over to the summary for today's discussion. So we reviewed
execution through a P I. As presented in the attack framework.
We reviewed some tools that we can use or that would be used for manipulating these AP eyes or how we've seen instances of these AP eyes being taken advantage of. We reviewed some mitigation techniques, which was really
through things like Anna virus through execution prevention and other white listing tools that you can put in place to try and block
malicious loads and things of that nature
and then reviewed some detection techniques again, not looking at all aspects of a P I activity within Windows because it would be so much information, it would be very tedious and hard for you to single out. One event is being malicious,
so you'd want to focus again on correlation of events to attempt to detect activity with respect to
Windows eight p eyes and malicious activity.
So with that in mind, I want to thank you for your time today, and I look forward to seeing you again soon