Description
Adversaries may hook into Windows application programming interface (API) functions and Linux system functions to collect user credentials. Malicious hooking mechanisms may capture API or function calls that include parameters that reveal user authentication credentials.(Citation: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017) Unlike Keylogging, this technique focuses specifically on API functions that include parameters that reveal user credentials.
In Windows, hooking involves redirecting calls to these functions and can be implemented via:
Hooks procedures, which intercept and execute designated code in response to events such as messages, keystrokes, and mouse inputs.(Citation: Microsoft Hook Overview)(Citation: Elastic Process Injection July 2017) Import address table (IAT) hooking, which use modifications to a process’s IAT, where pointers to imported API functions are stored.(Citation: Elastic Process Injection July 2017)(Citation: Adlice Software IAT Hooks Oct 2014)(Citation: MWRInfoSecurity Dynamic Hooking 2015) * Inline hooking, which overwrites the first bytes in an API function to redirect code flow.(Citation: Elastic Process Injection July 2017)(Citation: HighTech Bridge Inline Hooking Sept 2011)(Citation: MWRInfoSecurity Dynamic Hooking 2015)
In Linux and macOS, adversaries may hook into system functions via the LD_PRELOAD (Linux) or DYLD_INSERT_LIBRARIES (macOS) environment variables, which enables loading shared libraries into a program’s address space. For example, an adversary may capture credentials by hooking into the libc read function leveraged by SSH or SCP.(Citation: Intezer Symbiote 2022)
Platforms
Threat Groups (1)
| ID | Group | Context |
|---|---|---|
| G0068 | PLATINUM | [PLATINUM](https://attack.mitre.org/groups/G0068) is capable of using Windows hook interfaces for information gathering such as credential access.(Cit... |
Associated Software (11)
| ID | Name | Type | Context |
|---|---|---|---|
| S0330 | Zeus Panda | Malware | [Zeus Panda](https://attack.mitre.org/software/S0330) hooks processes by leveraging its own IAT hooked functions.(Citation: GDATA Zeus Panda June 2017... |
| S1154 | VersaMem | Malware | [VersaMem](https://attack.mitre.org/software/S1154) hooked and overrided Versa's built-in authentication method, `setUserPassword`, to intercept plain... |
| S0484 | Carberp | Malware | [Carberp](https://attack.mitre.org/software/S0484) has hooked several Windows API functions to steal credentials.(Citation: Prevx Carberp March 2011) |
| S0182 | FinFisher | Malware | [FinFisher](https://attack.mitre.org/software/S0182) hooks processes by modifying IAT pointers to CreateWindowEx.(Citation: FinFisher Citation)(Citati... |
| S0386 | Ursnif | Malware | [Ursnif](https://attack.mitre.org/software/S0386) has hooked APIs to perform a wide variety of information theft, such as monitoring traffic from brow... |
| S0412 | ZxShell | Malware | [ZxShell](https://attack.mitre.org/software/S0412) hooks several API functions to spawn system threads.(Citation: Talos ZxShell Oct 2014) |
| S0251 | Zebrocy | Malware | [Zebrocy](https://attack.mitre.org/software/S0251) installs an application-defined Windows hook to get notified when a network drive has been attached... |
| S0416 | RDFSNIFFER | Malware | [RDFSNIFFER](https://attack.mitre.org/software/S0416) hooks several Win32 API functions to hijack elements of the remote system management user-interf... |
| S0363 | Empire | Tool | [Empire](https://attack.mitre.org/software/S0363) contains some modules that leverage API hooking to carry out tasks, such as netripper.(Citation: Git... |
| S0266 | TrickBot | Malware | [TrickBot](https://attack.mitre.org/software/S0266) has the ability to capture RDP credentials by capturing the <code>CredEnumerateA</code> API(Citati... |
| S0353 | NOKKI | Malware | [NOKKI](https://attack.mitre.org/software/S0353) uses the Windows call SetWindowsHookEx and begins injecting it into every GUI process running on the ... |
References
- Eye of Ra. (2017, June 27). Windows Keylogger Part 2: Defense against user-land. Retrieved December 12, 2017.
- Felici, M. (2006, December 6). Any application-defined hook procedure on my machine?. Retrieved December 12, 2017.
- GMER. (n.d.). GMER. Retrieved December 12, 2017.
- Hillman, M. (2015, August 8). Dynamic Hooking Techniques: User Mode. Retrieved December 20, 2017.
- Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017.
- Joakim Kennedy and The BlackBerry Threat Research & Intelligence Team. (2022, June 9). Symbiote Deep-Dive: Analysis of a New, Nearly-Impossible-to-Detect Linux Threat. Retrieved March 24, 2025.
- Mariani, B. (2011, September 6). Inline Hooking in Windows. Retrieved November 17, 2024.
- Microsoft. (2017, September 15). TrojanSpy:Win32/Ursnif.gen!I. Retrieved December 18, 2017.
- Microsoft. (n.d.). Hooks Overview. Retrieved December 12, 2017.
- Microsoft. (n.d.). Taking a Snapshot and Viewing Processes. Retrieved December 12, 2017.
Frequently Asked Questions
What is T1056.004 (Credential API Hooking)?
T1056.004 is a MITRE ATT&CK technique named 'Credential API Hooking'. It belongs to the Collection, Credential Access tactic(s). Adversaries may hook into Windows application programming interface (API) functions and Linux system functions to collect user credentials. Malicious hooking mechanisms may capture API or function cal...
How can T1056.004 be detected?
Detection of T1056.004 (Credential API Hooking) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1056.004?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1056.004?
Known threat groups using T1056.004 include: PLATINUM.