MITRE ATT&CK Technique
Description
Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations. Adversaries may abuse these OS API functions as a means of executing behaviors. Similar to [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), the native API and its hierarchy of interfaces provide mechanisms to interact with and utilize various components of a victimized system. Native API functions (such as <code>NtCreateProcess</code>) may be directed invoked via system calls / syscalls, but these features are also often exposed to user-mode applications via interfaces and libraries.(Citation: OutFlank System Calls)(Citation: CyberBit System Calls)(Citation: MDSec System Calls) For example, functions such as the Windows API <code>CreateProcess()</code> or GNU <code>fork()</code> will allow programs and scripts to start other processes.(Citation: Microsoft CreateProcess)(Citation: GNU Fork) This may allow API callers to execute a binary, run a CLI command, load modules, etc. as thousands of similar API functions exist for various system operations.(Citation: Microsoft Win32)(Citation: LIBC)(Citation: GLIBC) Higher level software frameworks, such as Microsoft .NET and macOS Cocoa, are also available to interact with native APIs. These frameworks typically provide language wrappers/abstractions to API functionalities and are designed for ease-of-use/portability of code.(Citation: Microsoft NET)(Citation: Apple Core Services)(Citation: MACOS Cocoa)(Citation: macOS Foundation) Adversaries may use assembly to directly or in-directly invoke syscalls in an attempt to subvert defensive sensors and detection signatures such as user mode API-hooks.(Citation: Redops Syscalls) Adversaries may also attempt to tamper with sensors and defensive tools associated with API monitoring, such as unhooking monitored functions via [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001).
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2017-05-31T21:31:17.472Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may interact with the native OS application '
'programming interface (API) to execute behaviors. Native APIs '
'provide a controlled means of calling low-level OS services '
'within the kernel, such as those involving hardware/devices, '
'memory, and processes.(Citation: NT API Windows)(Citation: '
'Linux Kernel API) These native APIs are leveraged by the OS '
'during system boot (when other system components are not yet '
'initialized) as well as carrying out tasks and requests '
'during routine operations.\n'
'\n'
'Adversaries may abuse these OS API functions as a means of '
'executing behaviors. Similar to [Command and Scripting '
'Interpreter](https://attack.mitre.org/techniques/T1059), the '
'native API and its hierarchy of interfaces provide mechanisms '
'to interact with and utilize various components of a '
'victimized system.\n'
'\n'
'Native API functions (such as <code>NtCreateProcess</code>) '
'may be directed invoked via system calls / syscalls, but '
'these features are also often exposed to user-mode '
'applications via interfaces and libraries.(Citation: OutFlank '
'System Calls)(Citation: CyberBit System Calls)(Citation: '
'MDSec System Calls) For example, functions such as the '
'Windows API <code>CreateProcess()</code> or GNU '
'<code>fork()</code> will allow programs and scripts to start '
'other processes.(Citation: Microsoft CreateProcess)(Citation: '
'GNU Fork) This may allow API callers to execute a binary, run '
'a CLI command, load modules, etc. as thousands of similar API '
'functions exist for various system operations.(Citation: '
'Microsoft Win32)(Citation: LIBC)(Citation: GLIBC)\n'
'\n'
'Higher level software frameworks, such as Microsoft .NET and '
'macOS Cocoa, are also available to interact with native APIs. '
'These frameworks typically provide language '
'wrappers/abstractions to API functionalities and are designed '
'for ease-of-use/portability of code.(Citation: Microsoft '
'NET)(Citation: Apple Core Services)(Citation: MACOS '
'Cocoa)(Citation: macOS Foundation)\n'
'\n'
'Adversaries may use assembly to directly or in-directly '
'invoke syscalls in an attempt to subvert defensive sensors '
'and detection signatures such as user mode '
'API-hooks.(Citation: Redops Syscalls) Adversaries may also '
'attempt to tamper with sensors and defensive tools associated '
'with API monitoring, such as unhooking monitored functions '
'via [Disable or Modify '
'Tools](https://attack.mitre.org/techniques/T1562/001).',
'external_references': [{'external_id': 'T1106',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1106'},
{'description': 'Apple. (2015, September 16). Cocoa '
'Application Layer. Retrieved June '
'25, 2020.',
'source_name': 'MACOS Cocoa',
'url': 'https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/OSX_Technology_Overview/CocoaApplicationLayer/CocoaApplicationLayer.html#//apple_ref/doc/uid/TP40001067-CH274-SW1'},
{'description': 'Apple. (n.d.). Core Services. '
'Retrieved June 25, 2020.',
'source_name': 'Apple Core Services',
'url': 'https://developer.apple.com/documentation/coreservices'},
{'description': 'Apple. (n.d.). Foundation. Retrieved '
'July 1, 2020.',
'source_name': 'macOS Foundation',
'url': 'https://developer.apple.com/documentation/foundation'},
{'description': 'de Plaa, C. (2019, June 19). Red '
'Team Tactics: Combining Direct '
'System Calls and sRDI to bypass '
'AV/EDR. Retrieved September 29, '
'2021.',
'source_name': 'OutFlank System Calls',
'url': 'https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/'},
{'description': 'Feichter, D. (2023, June 30). Direct '
'Syscalls vs Indirect Syscalls. '
'Retrieved September 27, 2023.',
'source_name': 'Redops Syscalls',
'url': 'https://redops.at/en/blog/direct-syscalls-vs-indirect-syscalls'},
{'description': 'Free Software Foundation, Inc.. '
'(2020, June 18). Creating a Process. '
'Retrieved June 25, 2020.',
'source_name': 'GNU Fork',
'url': 'https://www.gnu.org/software/libc/manual/html_node/Creating-a-Process.html'},
{'description': 'Gavriel, H. (2018, November 27). '
'Malware Mitigation when Direct '
'System Calls are Used. Retrieved '
'September 29, 2021.',
'source_name': 'CyberBit System Calls',
'url': 'https://www.cyberbit.com/blog/endpoint-security/malware-mitigation-when-direct-system-calls-are-used/'},
{'description': 'glibc developer community. (2020, '
'February 1). The GNU C Library '
'(glibc). Retrieved June 25, 2020.',
'source_name': 'GLIBC',
'url': 'https://www.gnu.org/software/libc/'},
{'description': 'Kerrisk, M. (2016, December 12). '
'libc(7) — Linux manual page. '
'Retrieved June 25, 2020.',
'source_name': 'LIBC',
'url': 'https://man7.org/linux/man-pages//man7/libc.7.html'},
{'description': 'Linux Kernel Organization, Inc. '
'(n.d.). The Linux Kernel API. '
'Retrieved June 25, 2020.',
'source_name': 'Linux Kernel API',
'url': 'https://www.kernel.org/doc/html/v4.12/core-api/kernel-api.html'},
{'description': 'MDSec Research. (2020, December). '
'Bypassing User-Mode Hooks and Direct '
'Invocation of System Calls for Red '
'Teams. Retrieved September 29, 2021.',
'source_name': 'MDSec System Calls',
'url': 'https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/'},
{'description': 'Microsoft. (n.d.). CreateProcess '
'function. Retrieved September 12, '
'2024.',
'source_name': 'Microsoft CreateProcess',
'url': 'https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa'},
{'description': 'Microsoft. (n.d.). Programming '
'reference for the Win32 API. '
'Retrieved March 15, 2020.',
'source_name': 'Microsoft Win32',
'url': 'https://docs.microsoft.com/en-us/windows/win32/api/'},
{'description': 'Microsoft. (n.d.). What is .NET '
'Framework?. Retrieved March 15, '
'2020.',
'source_name': 'Microsoft NET',
'url': 'https://dotnet.microsoft.com/learn/dotnet/what-is-dotnet-framework'},
{'description': 'The NTinterlnals.net team. (n.d.). '
'Nowak, T. Retrieved June 25, 2020.',
'source_name': 'NT API Windows',
'url': 'https://undocumented.ntinternals.net/'}],
'id': 'attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'execution'}],
'modified': '2025-10-24T17:48:39.785Z',
'name': 'Native API',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.3.0',
'x_mitre_contributors': ['Gordon Long, LegioX/Zoom, asaurusrex',
'Stefan Kanthak',
'Tristan Madani (Cybereason)'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Linux', 'macOS', 'Windows'],
'x_mitre_remote_support': False,
'x_mitre_version': '2.3'}