T1056.004 Elastic Security · Elastic

Detect Credential API Hooking in Elastic Security

Adversaries may hook into Windows API functions or Linux/macOS system functions to collect user credentials. Unlike keylogging, this technique specifically targets API functions whose parameters reveal authentication credentials. On Windows, this includes hook procedures (SetWindowsHookEx), Import Address Table (IAT) hooking, and inline hooking of functions such as LsaLogonUser, SamIGetPrivateData, or CryptUnprotectData. On Linux and macOS, adversaries abuse LD_PRELOAD or DYLD_INSERT_LIBRARIES to inject shared libraries that intercept credential-handling functions like libc read() as used by SSH/SCP. Malware families including Ursnif, TrickBot, Zeus Panda, Carberp, and FinFisher use these techniques extensively.

MITRE ATT&CK

Tactic
Collection Credential Access
Technique
T1056 Input Capture
Sub-technique
T1056.004 Credential API Hooking
Canonical reference
https://attack.mitre.org/techniques/T1056/004/

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by host.id with maxspan=5m
  [process where event.type == "start" and
   process.name : ("lsass.exe", "winlogon.exe", "explorer.exe", "svchost.exe",
                   "chrome.exe", "firefox.exe", "iexplore.exe", "msedge.exe",
                   "outlook.exe", "mstsc.exe") and
   not process.parent.name : ("csrss.exe", "wininit.exe", "services.exe")
  ] by process.entity_id
  [process where event.type == "start" and
   process.args : ("*SetWindowsHookEx*", "*WriteProcessMemory*", "*VirtualAllocEx*",
                   "*CryptUnprotectData*", "*LsaLogonUser*", "*CredEnumerate*",
                   "*IAT*hook*", "*inline*hook*")
  ] by process.parent.entity_id
| any where
  (
    /* Remote thread creation into credential-handling processes */
    (
      event.category == "process" and
      event.action == "CreateRemoteThread" and
      process.name : ("lsass.exe", "winlogon.exe", "explorer.exe", "svchost.exe",
                      "chrome.exe", "firefox.exe", "iexplore.exe", "msedge.exe",
                      "outlook.exe", "mstsc.exe") and
      not process.parent.name : ("csrss.exe", "svchost.exe", "services.exe", "wininit.exe")
    )
    or
    /* LSASS memory open with suspicious access rights */
    (
      event.category == "process" and
      event.action == "OpenProcess" and
      process.name == "lsass.exe" and
      winlog.event_data.GrantedAccess : ("0x1010", "0x1410", "0x147a", "0x143a", "0x1438", "0x1fffff") and
      not process.parent.name : ("MsMpEng.exe", "svchost.exe", "csrss.exe", "werfault.exe",
                                  "taskmgr.exe", "services.exe", "vmtoolsd.exe", "lsm.exe")
    )
    or
    /* Suspicious hooking DLL image loads from non-system paths */
    (
      event.category == "library" and
      dll.name : ("*hook*", "*inject*", "*detour*", "*spy*", "*intercept*") and
      not dll.path : ("C:\\Windows\\System32\\*", "C:\\Windows\\SysWOW64\\*",
                      "C:\\Program Files\\*", "C:\\Program Files (x86)\\*") and
      process.name : ("lsass.exe", "winlogon.exe", "explorer.exe", "svchost.exe",
                      "chrome.exe", "firefox.exe", "iexplore.exe", "msedge.exe")
    )
    or
    /* SetWindowsHookEx called from unexpected processes */
    (
      event.category == "process" and
      event.action : ("SetWindowsHookEx", "NtSetInformationProcess") and
      not process.name : ("explorer.exe", "csrss.exe", "dwm.exe", "userinit.exe", "ctfmon.exe")
    )
  )
critical severity high confidence

Detects MITRE ATT&CK T1056.004 Credential API Hooking via four correlated signals: remote thread injection into credential-handling processes, LSASS memory access with suspicious GrantedAccess masks, suspicious hooking DLL loads from non-system paths, and SetWindowsHookEx API calls from non-standard processes. Covers Ursnif, TrickBot, Zeus Panda, Carberp, and FinFisher TTPs.

Data Sources

Elastic Endpoint SecurityWindows Sysmon via FilebeatElastic Agent with endpoint integration

Required Tables

logs-endpoint.events.process-*logs-endpoint.events.library-*logs-windows.sysmon_operational-*

False Positives & Tuning

  • Legitimate security monitoring tools (e.g., CrowdStrike Falcon, Carbon Black) create remote threads into lsass.exe for memory scanning — add vendor process names to exclusion list
  • Accessibility software such as screen readers (NVDA, JAWS) legitimately call SetWindowsHookEx for keyboard/mouse input interception — baseline against known software inventory
  • Developer debugging tools (WinDbg, x64dbg, Process Hacker) frequently open LSASS with elevated access rights during active investigation sessions on developer endpoints
  • DLL injection frameworks used by legitimate game anti-cheat engines (BattlEye, EasyAntiCheat) perform process injection into game executables and may trigger hooking DLL alerts
  • Password managers that autofill credentials may load helper DLLs into browser processes with names that partially match hook-related patterns
Download portable Sigma rule (.yml)

Other platforms for T1056.004

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1SetWindowsHookEx Credential Hook via PowerShell and C# Inline

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with the inline C# hook code in the command line. Windows Security Event ID 4688 (if command line auditing enabled). Sysmon Event ID 7: Image loads for System.dll, user32.dll within the PowerShell process. Some EDRs will generate an API call event for SetWindowsHookEx.

  2. Test 2LSASS Process Access with Credential-Harvesting Access Rights

    Expected signal: Sysmon Event ID 10 (ProcessAccess): SourceImage=powershell.exe, TargetImage=lsass.exe, GrantedAccess=0x0410 (PROCESS_VM_READ | PROCESS_QUERY_INFORMATION). Windows Security Event ID 4656 (Object access — process) if object access auditing is enabled. EDR products will typically generate a high-severity alert for any LSASS access from PowerShell.

  3. Test 3LD_PRELOAD Hook to Intercept libc read() (Linux)

    Expected signal: Linux audit log (auditd): execve syscall for 'cat' with environment containing LD_PRELOAD=/tmp/hooktest.so. Syslog entries showing the shared library compilation (gcc) and execution. /proc/PID/maps for the cat process will show /tmp/hooktest.so loaded. The hook_test.log file creation captured by inotify or auditd file watches.

  4. Test 4CreateRemoteThread into Browser Process Simulating IAT Hook Deployment

    Expected signal: Sysmon Event ID 8 (CreateRemoteThread): SourceImage=powershell.exe, TargetImage=notepad.exe, [email protected], NewThreadId will be populated. Sysmon Event ID 1: notepad.exe process created by powershell.exe parent. Windows Security Event ID 4688 for notepad.exe creation. EDR will generate high-severity alert for CreateRemoteThread from PowerShell into any process.

Last updated: 2026-04-16 Research depth: deep
References (14)

Unlock Pro Content

Get the full detection package for T1056.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1056Input Capture

Related Sub-techniques

T1056.001KeyloggingT1056.002GUI Input CaptureT1056.003Web Portal Capture

Related Techniques

T1056Input CaptureT1056.001KeyloggingT1055Process InjectionT1055.001Dynamic-link Library InjectionT1055.012Process HollowingT1003.001LSASS MemoryT1547.006Kernel Modules and ExtensionsT1574.001DLLT1574.002DLL Side-LoadingT1134Access Token Manipulation

Same Tactic: Collection

Popular Detections