T1056.004 Google Chronicle · YARA-L

Detect Credential API Hooking in Google Chronicle

Adversaries may hook into Windows API functions or Linux/macOS system functions to collect user credentials. Unlike keylogging, this technique specifically targets API functions whose parameters reveal authentication credentials. On Windows, this includes hook procedures (SetWindowsHookEx), Import Address Table (IAT) hooking, and inline hooking of functions such as LsaLogonUser, SamIGetPrivateData, or CryptUnprotectData. On Linux and macOS, adversaries abuse LD_PRELOAD or DYLD_INSERT_LIBRARIES to inject shared libraries that intercept credential-handling functions like libc read() as used by SSH/SCP. Malware families including Ursnif, TrickBot, Zeus Panda, Carberp, and FinFisher use these techniques extensively.

MITRE ATT&CK

Tactic
Collection Credential Access
Technique
T1056 Input Capture
Sub-technique
T1056.004 Credential API Hooking
Canonical reference
https://attack.mitre.org/techniques/T1056/004/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule credential_api_hooking_t1056_004 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects MITRE ATT&CK T1056.004 Credential API Hooking via remote thread injection into credential processes, LSASS memory access with suspicious access masks, hooking DLL loads, and hook-related API command line patterns."
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1056.004"
    severity = "CRITICAL"
    confidence = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1056/004/"
    created = "2024-01-01"
    platforms = "Windows"

  events:
    (
      /* Detection 1: Remote thread creation into credential-handling processes (Sysmon 8) */
      (
        $e.metadata.event_type = "PROCESS_INJECTION"
        OR ($e.metadata.product_event_type = "8" AND $e.metadata.vendor_name = "Microsoft")
      )
      AND (
        $e.target.process.file.full_path = /(?i)\\(lsass|winlogon|chrome|firefox|iexplore|msedge|outlook|mstsc|explorer|svchost)\.exe$/
      )
      AND NOT (
        $e.principal.process.file.full_path = /(?i)\\(csrss|svchost|services|wininit|MsMpEng)\.exe$/
      )
    )
    OR
    (
      /* Detection 2: LSASS memory access with credential-theft GrantedAccess masks (Sysmon 10) */
      (
        $e.metadata.product_event_type = "10"
        AND $e.metadata.vendor_name = "Microsoft"
      )
      AND $e.target.process.file.full_path = /(?i)\\lsass\.exe$/
      AND (
        $e.security_result.rule_name = "0x1010" OR
        $e.security_result.rule_name = "0x1410" OR
        $e.security_result.rule_name = "0x147a" OR
        $e.security_result.rule_name = "0x143a" OR
        $e.security_result.rule_name = "0x1438" OR
        $e.security_result.rule_name = "0x1fffff" OR
        $e.target.labels["GrantedAccess"] = "0x1010" OR
        $e.target.labels["GrantedAccess"] = "0x1410" OR
        $e.target.labels["GrantedAccess"] = "0x147a" OR
        $e.target.labels["GrantedAccess"] = "0x143a" OR
        $e.target.labels["GrantedAccess"] = "0x1438" OR
        $e.target.labels["GrantedAccess"] = "0x1fffff"
      )
      AND NOT (
        $e.principal.process.file.full_path = /(?i)\\(MsMpEng|svchost|csrss|werfault|taskmgr|services|vmtoolsd|lsm)\.exe$/
      )
    )
    OR
    (
      /* Detection 3: Suspicious hooking DLL loaded by name from non-system path (Sysmon 7) */
      (
        $e.metadata.event_type = "PROCESS_MODULE_LOAD"
        OR $e.metadata.product_event_type = "7"
      )
      AND $e.target.file.full_path = /(?i)(hook|inject|detour|spy|intercept)/
      AND NOT (
        $e.target.file.full_path = /(?i)\\Windows\\(System32|SysWOW64)\\/
        OR $e.target.file.full_path = /(?i)\\Program Files( \(x86\))?\\/
      )
      AND $e.principal.process.file.full_path = /(?i)\\(lsass|winlogon|chrome|firefox|iexplore|msedge|outlook|explorer|svchost)\.exe$/
    )
    OR
    (
      /* Detection 4: Hook-related API names in process command line arguments (Sysmon 1) */
      $e.metadata.event_type = "PROCESS_LAUNCH"
      AND (
        $e.principal.process.command_line = /(?i)(SetWindowsHookEx|WriteProcessMemory|VirtualAllocEx|CredEnumerate|CryptUnprotectData|LsaLogonUser|IAT.{0,10}hook|inline.{0,10}hook)/
      )
    )

  match:
    $e.principal.hostname over 5m

  outcome:
    $hostname = $e.principal.hostname
    $user = $e.principal.user.userid
    $source_process = $e.principal.process.file.full_path
    $target_process = $e.target.process.file.full_path
    $command_line = $e.principal.process.command_line
    $event_type = $e.metadata.event_type
    $risk_score = if($e.metadata.event_type = "PROCESS_INJECTION", 40,
                  if($e.metadata.product_event_type = "10", 40,
                   if($e.metadata.event_type = "PROCESS_MODULE_LOAD", 25, 20)))

  condition:
    $e
}
critical severity high confidence

Chronicle YARA-L 2.0 detection rule for T1056.004 Credential API Hooking. Covers four correlated behavioral signals using UDM event model: process injection into credential-handling processes (PROCESS_INJECTION), LSASS memory access with known credential-theft GrantedAccess masks (Sysmon 10 mapped to UDM), suspicious hooking DLL loads by name pattern from non-system paths (PROCESS_MODULE_LOAD), and hook-related API function names appearing in process command line arguments (PROCESS_LAUNCH). Results aggregate over 5-minute windows per hostname.

Data Sources

Google Chronicle SIEMWindows Sysmon forwarded via Chronicle Ingestion APIMicrosoft Defender for Endpoint via Chronicle connector

Required Tables

UDM Events — process, module_load, injection event types

False Positives & Tuning

  • CrowdStrike Falcon and other EDR sensors use PROCESS_INJECTION UDM events for their own memory inspection workflows against lsass.exe — add the vendor agent process path to the exclusion regex
  • Microsoft Sysinternals tools such as Process Monitor, Process Explorer, and Autoruns read LSASS memory with elevated access rights during forensic investigation — these are typically used interactively on specific endpoints
  • Browser helper objects and accessibility plugins that are legitimate Windows components may load DLLs matching the hook/inject name regex from non-standard application directories such as AppData
  • Application compatibility shims provided by the Windows App Compat layer may load shim DLLs with unusual names that partially match hooking patterns
  • Chrome and Firefox extension helper executables sometimes use WriteProcessMemory or VirtualAllocEx for sandbox IPCs — correlate with process tree to verify browser-related parentage before escalating
Download portable Sigma rule (.yml)

Other platforms for T1056.004

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1SetWindowsHookEx Credential Hook via PowerShell and C# Inline

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with the inline C# hook code in the command line. Windows Security Event ID 4688 (if command line auditing enabled). Sysmon Event ID 7: Image loads for System.dll, user32.dll within the PowerShell process. Some EDRs will generate an API call event for SetWindowsHookEx.

  2. Test 2LSASS Process Access with Credential-Harvesting Access Rights

    Expected signal: Sysmon Event ID 10 (ProcessAccess): SourceImage=powershell.exe, TargetImage=lsass.exe, GrantedAccess=0x0410 (PROCESS_VM_READ | PROCESS_QUERY_INFORMATION). Windows Security Event ID 4656 (Object access — process) if object access auditing is enabled. EDR products will typically generate a high-severity alert for any LSASS access from PowerShell.

  3. Test 3LD_PRELOAD Hook to Intercept libc read() (Linux)

    Expected signal: Linux audit log (auditd): execve syscall for 'cat' with environment containing LD_PRELOAD=/tmp/hooktest.so. Syslog entries showing the shared library compilation (gcc) and execution. /proc/PID/maps for the cat process will show /tmp/hooktest.so loaded. The hook_test.log file creation captured by inotify or auditd file watches.

  4. Test 4CreateRemoteThread into Browser Process Simulating IAT Hook Deployment

    Expected signal: Sysmon Event ID 8 (CreateRemoteThread): SourceImage=powershell.exe, TargetImage=notepad.exe, [email protected], NewThreadId will be populated. Sysmon Event ID 1: notepad.exe process created by powershell.exe parent. Windows Security Event ID 4688 for notepad.exe creation. EDR will generate high-severity alert for CreateRemoteThread from PowerShell into any process.

Last updated: 2026-04-16 Research depth: deep
References (14)

Unlock Pro Content

Get the full detection package for T1056.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1056Input Capture

Related Sub-techniques

T1056.001KeyloggingT1056.002GUI Input CaptureT1056.003Web Portal Capture

Related Techniques

T1056Input CaptureT1056.001KeyloggingT1055Process InjectionT1055.001Dynamic-link Library InjectionT1055.012Process HollowingT1003.001LSASS MemoryT1547.006Kernel Modules and ExtensionsT1574.001DLLT1574.002DLL Side-LoadingT1134Access Token Manipulation

Same Tactic: Collection

Popular Detections