T1056.004

Credential API Hooking

Adversaries may hook into Windows API functions or Linux/macOS system functions to collect user credentials. Unlike keylogging, this technique specifically targets API functions whose parameters reveal authentication credentials. On Windows, this includes hook procedures (SetWindowsHookEx), Import Address Table (IAT) hooking, and inline hooking of functions such as LsaLogonUser, SamIGetPrivateData, or CryptUnprotectData. On Linux and macOS, adversaries abuse LD_PRELOAD or DYLD_INSERT_LIBRARIES to inject shared libraries that intercept credential-handling functions like libc read() as used by SSH/SCP. Malware families including Ursnif, TrickBot, Zeus Panda, Carberp, and FinFisher use these techniques extensively.

Microsoft Sentinel / Defender

kusto

let CredentialAPIs = dynamic([
  "LsaLogonUser", "SamIGetPrivateData", "CryptUnprotectData",
  "CredEnumerateA", "CredEnumerateW", "CredReadA", "CredReadW",
  "WlxLoggedOnSAS", "NtLmSsp", "SsprChangePasswordCaller",
  "GetUserNameA", "GetUserNameW", "LookupAccountNameA",
  "CreateWindowEx", "SetWindowsHookEx", "SetWindowsHookExA", "SetWindowsHookExW"
]);
let SuspiciousInjectionProcesses = dynamic([
  "lsass.exe", "winlogon.exe", "explorer.exe", "svchost.exe",
  "chrome.exe", "firefox.exe", "iexplore.exe", "msedge.exe",
  "outlook.exe", "mstsc.exe"
]);
// Detection 1: Process injection / remote thread creation into credential-handling processes
let RemoteThreadIntoCredProcs = DeviceEvents
| where Timestamp > ago(24h)
| where ActionType == "CreateRemoteThreadApiCall"
| where InitiatingProcessFileName !in~ ("csrss.exe", "svchost.exe", "services.exe", "wininit.exe")
| where FileName in~ (SuspiciousInjectionProcesses)
| project Timestamp, DeviceName, AccountName, ActionType,
    FileName, InitiatingProcessFileName, InitiatingProcessCommandLine,
    InitiatingProcessId, ProcessId, InitiatingProcessParentFileName,
    DetectionType = "RemoteThreadIntoCredentialProcess";
// Detection 2: DLL image loads associated with hooking frameworks
let SuspiciousHookingDLLs = DeviceImageLoadEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ (SuspiciousInjectionProcesses)
| where FileName has_any ("hook", "inject", "detour", "api_ms_win_security", "spy", "monitor")
    or SHA256 in~ ("") // Enrich with known malicious hashes
| where not (FolderPath has_any ("\\Windows\\System32\\", "\\Windows\\SysWOW64\\", "\\Program Files\\"))
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, SHA256,
    InitiatingProcessFileName, InitiatingProcessCommandLine,
    DetectionType = "SuspiciousHookingDLLLoaded";
// Detection 3: SetWindowsHookEx API calls from unusual processes
let HookExAPICalls = DeviceEvents
| where Timestamp > ago(24h)
| where ActionType has_any ("SetWindowsHookEx", "NtSetInformationProcess")
| where InitiatingProcessFileName !in~ ("explorer.exe", "csrss.exe", "dwm.exe", "userinit.exe", "ctfmon.exe")
| project Timestamp, DeviceName, AccountName, ActionType,
    InitiatingProcessFileName, InitiatingProcessCommandLine,
    InitiatingProcessFolderPath, InitiatingProcessParentFileName,
    DetectionType = "SuspiciousHookAPICall";
// Detection 4: Processes accessing LSASS memory (credential theft precursor)
let LSASSAccess = DeviceEvents
| where Timestamp > ago(24h)
| where ActionType == "OpenProcessApiCall"
| where FileName =~ "lsass.exe"
| where InitiatingProcessFileName !in~ (
    "MsMpEng.exe", "svchost.exe", "csrss.exe", "werfault.exe",
    "taskmgr.exe", "services.exe", "WmiPrvSE.exe", "lsm.exe",
    "vmtoolsd.exe", "VGAuthService.exe", "AmSvc.exe"
  )
| project Timestamp, DeviceName, AccountName, ActionType,
    FileName, InitiatingProcessFileName, InitiatingProcessCommandLine,
    InitiatingProcessFolderPath, InitiatingProcessParentFileName,
    DetectionType = "LSASSAccessForHooking";
union RemoteThreadIntoCredProcs, SuspiciousHookingDLLs, HookExAPICalls, LSASSAccess
| summarize EventCount=count(), DetectionTypes=make_set(DetectionType),
    FirstSeen=min(Timestamp), LastSeen=max(Timestamp)
    by DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine
| extend RiskScore = array_length(DetectionTypes)
| sort by RiskScore desc, LastSeen desc

high severity medium confidence

Data Sources

Process: Process Creation Process: OS API Execution Module: Module Load Driver: Driver Load

Required Tables

DeviceEvents DeviceImageLoadEvents DeviceProcessEvents

False Positives

Legitimate security products (AV, EDR agents, DLP tools) that use hooking internally to monitor API calls — MsMpEng.exe, CylanceSvc.exe, CbDefense.exe
Accessibility software (screen readers, magnifiers, input helpers) that use SetWindowsHookEx to intercept keyboard/mouse input — JAWS, NVDA, ZoomText
Application compatibility shims and compatibility layers (AppHelp, Windows Shims) that hook APIs for legacy application support
Debugging tools and profilers (WinDbg, Visual Studio debugger, dotTrace, dotMemory) that legitimately attach to processes and intercept API calls
Remote administration and screen-sharing software (TeamViewer, AnyDesk, RDP hooks in mstsc.exe) that use hooks for display capture

Splunk

spl

index=sysmon sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
| eval EventCode=coalesce(EventCode, event_id)
(
  (
    EventCode=8
    (TargetImage="*\\lsass.exe" OR TargetImage="*\\winlogon.exe" OR
     TargetImage="*\\chrome.exe" OR TargetImage="*\\firefox.exe" OR
     TargetImage="*\\iexplore.exe" OR TargetImage="*\\msedge.exe" OR
     TargetImage="*\\outlook.exe" OR TargetImage="*\\mstsc.exe" OR
     TargetImage="*\\explorer.exe" OR TargetImage="*\\svchost.exe")
    NOT (SourceImage="*\\csrss.exe" OR SourceImage="*\\svchost.exe"
         OR SourceImage="*\\services.exe" OR SourceImage="*\\wininit.exe"
         OR SourceImage="*\\MsMpEng.exe")
  )
  OR
  (
    EventCode=10
    TargetImage="*\\lsass.exe"
    (GrantedAccess="0x1010" OR GrantedAccess="0x1410" OR
     GrantedAccess="0x147a" OR GrantedAccess="0x143a" OR
     GrantedAccess="0x1438" OR GrantedAccess="0x1fffff")
    NOT (SourceImage="*\\MsMpEng.exe" OR SourceImage="*\\svchost.exe"
         OR SourceImage="*\\csrss.exe" OR SourceImage="*\\werfault.exe"
         OR SourceImage="*\\taskmgr.exe" OR SourceImage="*\\services.exe"
         OR SourceImage="*\\vmtoolsd.exe" OR SourceImage="*\\lsm.exe")
  )
  OR
  (
    EventCode=7
    (ImageLoaded="*hook*" OR ImageLoaded="*inject*" OR ImageLoaded="*detour*"
     OR ImageLoaded="*spy*" OR ImageLoaded="*intercept*")
    NOT (ImageLoaded="*\\Windows\\System32\\*" OR ImageLoaded="*\\Windows\\SysWOW64\\*"
         OR ImageLoaded="*\\Program Files\\*" OR ImageLoaded="*\\Program Files (x86)\\*")
  )
  OR
  (
    EventCode=1
    (CommandLine="*SetWindowsHookEx*" OR CommandLine="*WriteProcessMemory*"
     OR CommandLine="*VirtualAllocEx*" OR CommandLine="*CredEnumerate*"
     OR CommandLine="*CryptUnprotectData*" OR CommandLine="*LsaLogonUser*"
     OR CommandLine="*IAT*hook*" OR CommandLine="*inline*hook*")
  )
)
| eval DetectionType=case(
    EventCode==8, "RemoteThreadCreateIntoCredProcess",
    EventCode==10, "LSASSMemoryAccessForHooking",
    EventCode==7, "SuspiciousHookDLLLoaded",
    EventCode==1, "HookRelatedCommandLine",
    true(), "Unknown"
  )
| eval TargetProc=coalesce(TargetImage, "N/A")
| eval SourceProc=coalesce(SourceImage, Image, "N/A")
| eval AccessGranted=coalesce(GrantedAccess, "N/A")
| eval DLLLoaded=coalesce(ImageLoaded, "N/A")
| eval CmdLine=coalesce(CommandLine, "N/A")
| stats count as EventCount,
        values(DetectionType) as DetectionTypes,
        values(TargetProc) as TargetProcesses,
        values(AccessGranted) as AccessRights,
        values(DLLLoaded) as SuspiciousDLLs,
        earliest(_time) as FirstSeen,
        latest(_time) as LastSeen
        by host, SourceProc, CmdLine, User
| eval RiskScore=mvcount(DetectionTypes)
| eval TimeDeltaMinutes=round((LastSeen - FirstSeen) / 60, 2)
| where RiskScore >= 1
| table host, User, SourceProc, CmdLine, DetectionTypes, TargetProcesses,
        AccessRights, SuspiciousDLLs, EventCount, RiskScore,
        FirstSeen, LastSeen, TimeDeltaMinutes
| sort - RiskScore, - EventCount

high severity medium confidence

Data Sources

Process: OS API Execution Process: Process Access Module: Module Load Process: Process Creation Sysmon Event ID 1, 7, 8, 10

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate security products (AV, EDR agents, DLP tools) that use hooking internally — MsMpEng.exe, CylanceSvc.exe, SentinelOne, CrowdStrike Falcon
Accessibility software (JAWS, NVDA, ZoomText) that uses SetWindowsHookEx for input interception
Debugging tools (WinDbg, Visual Studio, OllyDbg, x64dbg) and performance profilers that access process memory
Virtualization guest tools (VMware Tools vmtoolsd.exe, VirtualBox additions) that legitimately access system processes
Application compatibility shims and compatibility layers managed by Windows that hook APIs for legacy software support

Elastic Security (EQL)

eql

sequence by host.id with maxspan=5m
  [process where event.type == "start" and
   process.name : ("lsass.exe", "winlogon.exe", "explorer.exe", "svchost.exe",
                   "chrome.exe", "firefox.exe", "iexplore.exe", "msedge.exe",
                   "outlook.exe", "mstsc.exe") and
   not process.parent.name : ("csrss.exe", "wininit.exe", "services.exe")
  ] by process.entity_id
  [process where event.type == "start" and
   process.args : ("*SetWindowsHookEx*", "*WriteProcessMemory*", "*VirtualAllocEx*",
                   "*CryptUnprotectData*", "*LsaLogonUser*", "*CredEnumerate*",
                   "*IAT*hook*", "*inline*hook*")
  ] by process.parent.entity_id
| any where
  (
    /* Remote thread creation into credential-handling processes */
    (
      event.category == "process" and
      event.action == "CreateRemoteThread" and
      process.name : ("lsass.exe", "winlogon.exe", "explorer.exe", "svchost.exe",
                      "chrome.exe", "firefox.exe", "iexplore.exe", "msedge.exe",
                      "outlook.exe", "mstsc.exe") and
      not process.parent.name : ("csrss.exe", "svchost.exe", "services.exe", "wininit.exe")
    )
    or
    /* LSASS memory open with suspicious access rights */
    (
      event.category == "process" and
      event.action == "OpenProcess" and
      process.name == "lsass.exe" and
      winlog.event_data.GrantedAccess : ("0x1010", "0x1410", "0x147a", "0x143a", "0x1438", "0x1fffff") and
      not process.parent.name : ("MsMpEng.exe", "svchost.exe", "csrss.exe", "werfault.exe",
                                  "taskmgr.exe", "services.exe", "vmtoolsd.exe", "lsm.exe")
    )
    or
    /* Suspicious hooking DLL image loads from non-system paths */
    (
      event.category == "library" and
      dll.name : ("*hook*", "*inject*", "*detour*", "*spy*", "*intercept*") and
      not dll.path : ("C:\\Windows\\System32\\*", "C:\\Windows\\SysWOW64\\*",
                      "C:\\Program Files\\*", "C:\\Program Files (x86)\\*") and
      process.name : ("lsass.exe", "winlogon.exe", "explorer.exe", "svchost.exe",
                      "chrome.exe", "firefox.exe", "iexplore.exe", "msedge.exe")
    )
    or
    /* SetWindowsHookEx called from unexpected processes */
    (
      event.category == "process" and
      event.action : ("SetWindowsHookEx", "NtSetInformationProcess") and
      not process.name : ("explorer.exe", "csrss.exe", "dwm.exe", "userinit.exe", "ctfmon.exe")
    )
  )

critical severity high confidence

Data Sources

Elastic Endpoint Security Windows Sysmon via Filebeat Elastic Agent with endpoint integration

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.library-* logs-windows.sysmon_operational-*

False Positives

Legitimate security monitoring tools (e.g., CrowdStrike Falcon, Carbon Black) create remote threads into lsass.exe for memory scanning — add vendor process names to exclusion list
Accessibility software such as screen readers (NVDA, JAWS) legitimately call SetWindowsHookEx for keyboard/mouse input interception — baseline against known software inventory
Developer debugging tools (WinDbg, x64dbg, Process Hacker) frequently open LSASS with elevated access rights during active investigation sessions on developer endpoints
DLL injection frameworks used by legitimate game anti-cheat engines (BattlEye, EasyAntiCheat) perform process injection into game executables and may trigger hooking DLL alerts
Password managers that autofill credentials may load helper DLLs into browser processes with names that partially match hook-related patterns

IBM QRadar (AQL)

sql

/* T1056.004 Credential API Hooking — QRadar AQL */
SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  logsourcename(logsourceid) AS LogSource,
  CATEGORYNAME(category) AS EventCategory,
  username AS User,
  sourceip AS SourceIP,
  "SourceProcessImage" AS SourceProcess,
  "TargetProcessImage" AS TargetProcess,
  "GrantedAccess" AS AccessMask,
  "ImageLoaded" AS LoadedDLL,
  "CommandLine" AS CommandLine,
  CASE
    WHEN QIDNAME(qid) LIKE '%CreateRemoteThread%' THEN 'RemoteThreadIntoCredProcess'
    WHEN QIDNAME(qid) LIKE '%ProcessAccess%' AND "GrantedAccess" IN ('0x1010','0x1410','0x147a','0x143a','0x1438','0x1fffff') THEN 'LSASSMemoryAccessForHooking'
    WHEN QIDNAME(qid) LIKE '%ImageLoad%' AND (LOWER("ImageLoaded") LIKE '%hook%' OR LOWER("ImageLoaded") LIKE '%inject%' OR LOWER("ImageLoaded") LIKE '%detour%' OR LOWER("ImageLoaded") LIKE '%spy%') THEN 'SuspiciousHookDLLLoaded'
    WHEN QIDNAME(qid) LIKE '%ProcessCreate%' AND ("CommandLine" LIKE '%SetWindowsHookEx%' OR "CommandLine" LIKE '%WriteProcessMemory%' OR "CommandLine" LIKE '%VirtualAllocEx%' OR "CommandLine" LIKE '%CryptUnprotectData%' OR "CommandLine" LIKE '%LsaLogonUser%' OR "CommandLine" LIKE '%CredEnumerate%') THEN 'HookRelatedCommandLine'
    ELSE 'CredentialAPIHookingGeneric'
  END AS DetectionType,
  COUNT(*) OVER (PARTITION BY username, "SourceProcessImage") AS EventCount
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (
    SELECT id FROM logsourcetypes WHERE name LIKE '%Sysmon%' OR name LIKE '%Windows%'
  )
  AND starttime > NOW() - 86400000
  AND (
    /* Sysmon Event 8: CreateRemoteThread into credential processes */
    (
      QIDNAME(qid) LIKE '%CreateRemoteThread%'
      AND (
        "TargetProcessImage" LIKE '%\\lsass.exe'
        OR "TargetProcessImage" LIKE '%\\winlogon.exe'
        OR "TargetProcessImage" LIKE '%\\chrome.exe'
        OR "TargetProcessImage" LIKE '%\\firefox.exe'
        OR "TargetProcessImage" LIKE '%\\iexplore.exe'
        OR "TargetProcessImage" LIKE '%\\msedge.exe'
        OR "TargetProcessImage" LIKE '%\\outlook.exe'
        OR "TargetProcessImage" LIKE '%\\mstsc.exe'
        OR "TargetProcessImage" LIKE '%\\explorer.exe'
        OR "TargetProcessImage" LIKE '%\\svchost.exe'
      )
      AND "SourceProcessImage" NOT LIKE '%\\csrss.exe'
      AND "SourceProcessImage" NOT LIKE '%\\svchost.exe'
      AND "SourceProcessImage" NOT LIKE '%\\services.exe'
      AND "SourceProcessImage" NOT LIKE '%\\wininit.exe'
      AND "SourceProcessImage" NOT LIKE '%\\MsMpEng.exe'
    )
    OR
    /* Sysmon Event 10: LSASS Process Access with credential-theft access masks */
    (
      QIDNAME(qid) LIKE '%ProcessAccess%'
      AND "TargetProcessImage" LIKE '%\\lsass.exe'
      AND "GrantedAccess" IN ('0x1010','0x1410','0x147a','0x143a','0x1438','0x1fffff')
      AND "SourceProcessImage" NOT LIKE '%\\MsMpEng.exe'
      AND "SourceProcessImage" NOT LIKE '%\\svchost.exe'
      AND "SourceProcessImage" NOT LIKE '%\\csrss.exe'
      AND "SourceProcessImage" NOT LIKE '%\\werfault.exe'
      AND "SourceProcessImage" NOT LIKE '%\\taskmgr.exe'
      AND "SourceProcessImage" NOT LIKE '%\\services.exe'
      AND "SourceProcessImage" NOT LIKE '%\\vmtoolsd.exe'
      AND "SourceProcessImage" NOT LIKE '%\\lsm.exe'
    )
    OR
    /* Sysmon Event 7: Suspicious DLL image load with hook/inject naming */
    (
      QIDNAME(qid) LIKE '%ImageLoad%'
      AND (
        LOWER("ImageLoaded") LIKE '%hook%'
        OR LOWER("ImageLoaded") LIKE '%inject%'
        OR LOWER("ImageLoaded") LIKE '%detour%'
        OR LOWER("ImageLoaded") LIKE '%spy%'
        OR LOWER("ImageLoaded") LIKE '%intercept%'
      )
      AND "ImageLoaded" NOT LIKE '%\\Windows\\System32\\%'
      AND "ImageLoaded" NOT LIKE '%\\Windows\\SysWOW64\\%'
      AND "ImageLoaded" NOT LIKE '%\\Program Files\\%'
      AND "ImageLoaded" NOT LIKE '%\\Program Files (x86)\\%'
    )
    OR
    /* Sysmon Event 1 / Security 4688: Hook-related command line arguments */
    (
      QIDNAME(qid) LIKE '%ProcessCreate%'
      AND (
        "CommandLine" LIKE '%SetWindowsHookEx%'
        OR "CommandLine" LIKE '%WriteProcessMemory%'
        OR "CommandLine" LIKE '%VirtualAllocEx%'
        OR "CommandLine" LIKE '%CredEnumerate%'
        OR "CommandLine" LIKE '%CryptUnprotectData%'
        OR "CommandLine" LIKE '%LsaLogonUser%'
        OR LOWER("CommandLine") LIKE '%iat%hook%'
        OR LOWER("CommandLine") LIKE '%inline%hook%'
      )
    )
  )
ORDER BY EventTime DESC

critical severity high confidence

Data Sources

IBM QRadar SIEM Windows Sysmon log source Windows Security Event log source

Required Tables

events

False Positives

Endpoint detection and response (EDR) agents from vendors like CrowdStrike, SentinelOne, and Carbon Black routinely access LSASS memory with elevated access masks as part of their normal credential telemetry collection
Vulnerability scanners and penetration testing tools such as Metasploit, Cobalt Strike (in authorized red team engagements), and Mimikatz (in sanctioned environments) will generate all detection sub-types simultaneously
Legitimate accessibility or input automation software including AutoHotKey, Accessibility Insights, and UI Automation frameworks call SetWindowsHookEx as a core part of their operation
Software development environments and dynamic analysis sandboxes use process injection APIs during normal operation when loading plugins, debuggers, or profilers into target processes
Password synchronization utilities that bridge domain credentials to cloud identity providers may enumerate credential stores using CredEnumerate API calls

Sumo Logic CSE

sql

/* T1056.004 Credential API Hooking — Sumo Logic CSE */
_sourceCategory="windows/sysmon" OR _sourceCategory="windows/security"
| json auto
/* Normalize EventCode across Sysmon XML and Security log formats */
| if(isNull(EventCode), if(!isNull(event_id), event_id, ""), EventCode) as EventCode
| where EventCode in ("8", "10", "7", "1", "4688")
/* Sub-detection 1: Remote thread creation into credential processes (Sysmon 8) */
| where
  (
    EventCode == "8"
    AND (
      TargetImage matches "*\\lsass.exe" OR
      TargetImage matches "*\\winlogon.exe" OR
      TargetImage matches "*\\chrome.exe" OR
      TargetImage matches "*\\firefox.exe" OR
      TargetImage matches "*\\iexplore.exe" OR
      TargetImage matches "*\\msedge.exe" OR
      TargetImage matches "*\\outlook.exe" OR
      TargetImage matches "*\\mstsc.exe" OR
      TargetImage matches "*\\explorer.exe" OR
      TargetImage matches "*\\svchost.exe"
    )
    AND NOT (
      SourceImage matches "*\\csrss.exe" OR
      SourceImage matches "*\\svchost.exe" OR
      SourceImage matches "*\\services.exe" OR
      SourceImage matches "*\\wininit.exe" OR
      SourceImage matches "*\\MsMpEng.exe"
    )
  )
  OR
  (
    /* Sub-detection 2: LSASS process access with credential-theft access masks (Sysmon 10) */
    EventCode == "10"
    AND TargetImage matches "*\\lsass.exe"
    AND GrantedAccess in ("0x1010", "0x1410", "0x147a", "0x143a", "0x1438", "0x1fffff")
    AND NOT (
      SourceImage matches "*\\MsMpEng.exe" OR
      SourceImage matches "*\\svchost.exe" OR
      SourceImage matches "*\\csrss.exe" OR
      SourceImage matches "*\\werfault.exe" OR
      SourceImage matches "*\\taskmgr.exe" OR
      SourceImage matches "*\\services.exe" OR
      SourceImage matches "*\\vmtoolsd.exe" OR
      SourceImage matches "*\\lsm.exe"
    )
  )
  OR
  (
    /* Sub-detection 3: Suspicious hooking DLL loaded from non-system path (Sysmon 7) */
    EventCode == "7"
    AND (
      toLowerCase(ImageLoaded) matches "*hook*" OR
      toLowerCase(ImageLoaded) matches "*inject*" OR
      toLowerCase(ImageLoaded) matches "*detour*" OR
      toLowerCase(ImageLoaded) matches "*spy*" OR
      toLowerCase(ImageLoaded) matches "*intercept*"
    )
    AND NOT (
      ImageLoaded matches "*\\Windows\\System32\\*" OR
      ImageLoaded matches "*\\Windows\\SysWOW64\\*" OR
      ImageLoaded matches "*\\Program Files\\*" OR
      ImageLoaded matches "*\\Program Files (x86)\\*"
    )
  )
  OR
  (
    /* Sub-detection 4: Hook API names in command line (Sysmon 1 / Security 4688) */
    EventCode in ("1", "4688")
    AND (
      CommandLine matches "*SetWindowsHookEx*" OR
      CommandLine matches "*WriteProcessMemory*" OR
      CommandLine matches "*VirtualAllocEx*" OR
      CommandLine matches "*CredEnumerate*" OR
      CommandLine matches "*CryptUnprotectData*" OR
      CommandLine matches "*LsaLogonUser*" OR
      toLowerCase(CommandLine) matches "*iat*hook*" OR
      toLowerCase(CommandLine) matches "*inline*hook*"
    )
  )
/* Enrich and normalize fields */
| if(EventCode == "8", "RemoteThreadIntoCredProcess",
    if(EventCode == "10", "LSASSMemoryAccessForHooking",
      if(EventCode == "7", "SuspiciousHookDLLLoaded",
        if(EventCode in ("1", "4688"), "HookRelatedCommandLine", "Unknown")
      )
    )
  ) as DetectionType
| if(!isNull(TargetImage), TargetImage, "N/A") as TargetProcess
| if(!isNull(SourceImage), SourceImage, if(!isNull(Image), Image, "N/A")) as SourceProcess
| if(!isNull(GrantedAccess), GrantedAccess, "N/A") as AccessMask
| if(!isNull(ImageLoaded), ImageLoaded, "N/A") as LoadedDLL
| if(!isNull(CommandLine), CommandLine, "N/A") as CmdLine
| if(!isNull(User), User, if(!isNull(SubjectUserName), SubjectUserName, "N/A")) as UserAccount
| timeslice 1h
| stats
    count as EventCount,
    values(DetectionType) as DetectionTypes,
    values(TargetProcess) as TargetProcesses,
    values(AccessMask) as AccessRights,
    values(LoadedDLL) as SuspiciousDLLs,
    min(_messageTime) as FirstSeen,
    max(_messageTime) as LastSeen
    by _timeslice, Computer, SourceProcess, CmdLine, UserAccount
| where EventCount >= 1
| fields -_timeslice
| sort by EventCount desc

critical severity high confidence

Data Sources

Sumo Logic Cloud SIEM Windows Sysmon log collection Windows Security Event log collection

Required Tables

windows/sysmon windows/security

False Positives

Security software from CrowdStrike, SentinelOne, Cylance, and similar EDR vendors routinely generate LSASS process access events (Event 10) with elevated GrantedAccess values as part of their memory scanning and telemetry workflows
Automated red team tooling operating under an authorized penetration testing engagement will deliberately trigger all four sub-detections — correlate with change management records and authorized test windows
Legitimate UI automation frameworks (Python win32gui bindings, AutoHotKey scripts, Sikuli) call SetWindowsHookEx for keyboard and mouse hook installation and will generate HookRelatedCommandLine alerts
Application monitoring and APM agents (Dynatrace, AppDynamics, New Relic) inject DLLs into application processes for performance instrumentation — their DLL names may partially match hook/inject patterns
Software installers that perform in-process patching (MSI transforms, application virtualization) may load DLLs with detour-style names from temp or application paths outside of System32

Google Chronicle / SecOps

yaral

rule credential_api_hooking_t1056_004 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects MITRE ATT&CK T1056.004 Credential API Hooking via remote thread injection into credential processes, LSASS memory access with suspicious access masks, hooking DLL loads, and hook-related API command line patterns."
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1056.004"
    severity = "CRITICAL"
    confidence = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1056/004/"
    created = "2024-01-01"
    platforms = "Windows"

  events:
    (
      /* Detection 1: Remote thread creation into credential-handling processes (Sysmon 8) */
      (
        $e.metadata.event_type = "PROCESS_INJECTION"
        OR ($e.metadata.product_event_type = "8" AND $e.metadata.vendor_name = "Microsoft")
      )
      AND (
        $e.target.process.file.full_path = /(?i)\\(lsass|winlogon|chrome|firefox|iexplore|msedge|outlook|mstsc|explorer|svchost)\.exe$/
      )
      AND NOT (
        $e.principal.process.file.full_path = /(?i)\\(csrss|svchost|services|wininit|MsMpEng)\.exe$/
      )
    )
    OR
    (
      /* Detection 2: LSASS memory access with credential-theft GrantedAccess masks (Sysmon 10) */
      (
        $e.metadata.product_event_type = "10"
        AND $e.metadata.vendor_name = "Microsoft"
      )
      AND $e.target.process.file.full_path = /(?i)\\lsass\.exe$/
      AND (
        $e.security_result.rule_name = "0x1010" OR
        $e.security_result.rule_name = "0x1410" OR
        $e.security_result.rule_name = "0x147a" OR
        $e.security_result.rule_name = "0x143a" OR
        $e.security_result.rule_name = "0x1438" OR
        $e.security_result.rule_name = "0x1fffff" OR
        $e.target.labels["GrantedAccess"] = "0x1010" OR
        $e.target.labels["GrantedAccess"] = "0x1410" OR
        $e.target.labels["GrantedAccess"] = "0x147a" OR
        $e.target.labels["GrantedAccess"] = "0x143a" OR
        $e.target.labels["GrantedAccess"] = "0x1438" OR
        $e.target.labels["GrantedAccess"] = "0x1fffff"
      )
      AND NOT (
        $e.principal.process.file.full_path = /(?i)\\(MsMpEng|svchost|csrss|werfault|taskmgr|services|vmtoolsd|lsm)\.exe$/
      )
    )
    OR
    (
      /* Detection 3: Suspicious hooking DLL loaded by name from non-system path (Sysmon 7) */
      (
        $e.metadata.event_type = "PROCESS_MODULE_LOAD"
        OR $e.metadata.product_event_type = "7"
      )
      AND $e.target.file.full_path = /(?i)(hook|inject|detour|spy|intercept)/
      AND NOT (
        $e.target.file.full_path = /(?i)\\Windows\\(System32|SysWOW64)\\/
        OR $e.target.file.full_path = /(?i)\\Program Files( \(x86\))?\\/
      )
      AND $e.principal.process.file.full_path = /(?i)\\(lsass|winlogon|chrome|firefox|iexplore|msedge|outlook|explorer|svchost)\.exe$/
    )
    OR
    (
      /* Detection 4: Hook-related API names in process command line arguments (Sysmon 1) */
      $e.metadata.event_type = "PROCESS_LAUNCH"
      AND (
        $e.principal.process.command_line = /(?i)(SetWindowsHookEx|WriteProcessMemory|VirtualAllocEx|CredEnumerate|CryptUnprotectData|LsaLogonUser|IAT.{0,10}hook|inline.{0,10}hook)/
      )
    )

  match:
    $e.principal.hostname over 5m

  outcome:
    $hostname = $e.principal.hostname
    $user = $e.principal.user.userid
    $source_process = $e.principal.process.file.full_path
    $target_process = $e.target.process.file.full_path
    $command_line = $e.principal.process.command_line
    $event_type = $e.metadata.event_type
    $risk_score = if($e.metadata.event_type = "PROCESS_INJECTION", 40,
                  if($e.metadata.product_event_type = "10", 40,
                   if($e.metadata.event_type = "PROCESS_MODULE_LOAD", 25, 20)))

  condition:
    $e
}

critical severity high confidence

Data Sources

Google Chronicle SIEM Windows Sysmon forwarded via Chronicle Ingestion API Microsoft Defender for Endpoint via Chronicle connector

Required Tables

UDM Events — process, module_load, injection event types

False Positives

CrowdStrike Falcon and other EDR sensors use PROCESS_INJECTION UDM events for their own memory inspection workflows against lsass.exe — add the vendor agent process path to the exclusion regex
Microsoft Sysinternals tools such as Process Monitor, Process Explorer, and Autoruns read LSASS memory with elevated access rights during forensic investigation — these are typically used interactively on specific endpoints
Browser helper objects and accessibility plugins that are legitimate Windows components may load DLLs matching the hook/inject name regex from non-standard application directories such as AppData
Application compatibility shims provided by the Windows App Compat layer may load shim DLLs with unusual names that partially match hooking patterns
Chrome and Firefox extension helper executables sometimes use WriteProcessMemory or VirtualAllocEx for sandbox IPCs — correlate with process tree to verify browser-related parentage before escalating

CrowdStrike LogScale (CQL)

cql

/* T1056.004 Credential API Hooking — CrowdStrike LogScale / Falcon CQL */

// Sub-detection 1: Remote thread creation into credential-handling processes
#event_simpleName = CreateRemoteThreadApiCall
| TargetImageFileName = /(?i)(lsass|winlogon|chrome|firefox|iexplore|msedge|outlook|mstsc|explorer|svchost)\.exe$/
| !match(field=ImageFileName, values=["csrss.exe", "svchost.exe", "services.exe", "wininit.exe", "MsMpEng.exe"],
         ignoreCase=true)
| DetectionType := "RemoteThreadIntoCredProcess"
| TargetProcess := TargetImageFileName
| SourceProcess := ImageFileName

// Union: Sub-detection 2 — LSASS Process Open with credential-theft access masks
| union [
  #event_simpleName = ProcessRollup2
  | TargetImageFileName = /(?i)\\lsass\.exe$/
  | DesiredAccess = /^(0x1010|0x1410|0x147a|0x143a|0x1438|0x1fffff)$/i
  | !match(field=ImageFileName, values=["MsMpEng.exe", "svchost.exe", "csrss.exe", "werfault.exe",
                                          "taskmgr.exe", "services.exe", "vmtoolsd.exe", "lsm.exe"],
           ignoreCase=true)
  | DetectionType := "LSASSMemoryAccessForHooking"
  | TargetProcess := TargetImageFileName
  | SourceProcess := ImageFileName
  | AccessMask := DesiredAccess
]

// Union: Sub-detection 3 — Suspicious DLL load by name from non-system path
| union [
  #event_simpleName = ClassifiedModuleLoad
  | ImageFileName = /(?i)(hook|inject|detour|spy|intercept)/
  | !match(field=ImageFileName, values=["\\Windows\\System32\\", "\\Windows\\SysWOW64\\",
                                          "\\Program Files\\", "\\Program Files (x86)\\"],
           ignoreCase=true)
  | match(field=ParentBaseFileName,
           values=["lsass.exe", "winlogon.exe", "chrome.exe", "firefox.exe",
                   "iexplore.exe", "msedge.exe", "outlook.exe", "explorer.exe", "svchost.exe"],
           ignoreCase=true)
  | DetectionType := "SuspiciousHookDLLLoaded"
  | LoadedDLL := ImageFileName
  | SourceProcess := ParentBaseFileName
]

// Union: Sub-detection 4 — Hook-related API names in CommandLine
| union [
  #event_simpleName = ProcessRollup2
  | CommandLine = /(?i)(SetWindowsHookEx|WriteProcessMemory|VirtualAllocEx|CredEnumerate|CryptUnprotectData|LsaLogonUser|IAT.{1,10}hook|inline.{1,10}hook)/
  | DetectionType := "HookRelatedCommandLine"
  | SourceProcess := ImageFileName
  | CmdLine := CommandLine
]

// Aggregate results per host and source process
| groupBy(
    [ComputerName, UserName, SourceProcess],
    function=[
      count(as=EventCount),
      collect(DetectionType, multival=true, as=DetectionTypes),
      collect(TargetProcess, multival=true, as=TargetProcesses),
      collect(AccessMask, multival=true, as=AccessRights),
      collect(LoadedDLL, multival=true, as=SuspiciousDLLs),
      collect(CmdLine, multival=true, as=CommandLines),
      min(@timestamp, as=FirstSeen),
      max(@timestamp, as=LastSeen)
    ]
  )
| RiskScore := length(DetectionTypes)
| TimeDeltaMinutes := round((LastSeen - FirstSeen) / 60000, 2)
| where RiskScore >= 1
| sort(RiskScore, order=desc)
| sort(EventCount, order=desc)

critical severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection CrowdStrike Falcon LogScale (Humio) Falcon Insight XDR telemetry

Required Tables

CreateRemoteThreadApiCall ProcessRollup2 ClassifiedModuleLoad

False Positives

The Falcon sensor itself performs LSASS memory reads and process injection operations as part of its own credential telemetry — the sensor process (CSAgent.exe, CSFalconService.exe) should be permanently excluded from LSASS access detections
Third-party EDR co-existence scenarios where two sensor products are installed simultaneously may cause each to flag the other's injection activities — validate against approved software inventory in CMDB
Game anti-cheat services (BattlEye, EasyAntiCheat, Ricochet) regularly create remote threads into game executables and system processes as part of their tamper-detection mechanisms
Application virtualization products (VMware ThinApp, Microsoft App-V) load DLLs with non-standard paths and names that may match hook/inject naming patterns outside of the standard Windows directories
Browser extension native messaging hosts sometimes have command lines referencing memory manipulation APIs when communicating with browser sandbox processes — verify process parent chain confirms browser ancestry before escalating

Last updated: 2026-04-16 Research depth: deep

References (14)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1056.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Credential API Hooking

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Collection

Popular Detections