Detect Credential API Hooking in CrowdStrike LogScale
Adversaries may hook into Windows API functions or Linux/macOS system functions to collect user credentials. Unlike keylogging, this technique specifically targets API functions whose parameters reveal authentication credentials. On Windows, this includes hook procedures (SetWindowsHookEx), Import Address Table (IAT) hooking, and inline hooking of functions such as LsaLogonUser, SamIGetPrivateData, or CryptUnprotectData. On Linux and macOS, adversaries abuse LD_PRELOAD or DYLD_INSERT_LIBRARIES to inject shared libraries that intercept credential-handling functions like libc read() as used by SSH/SCP. Malware families including Ursnif, TrickBot, Zeus Panda, Carberp, and FinFisher use these techniques extensively.
MITRE ATT&CK
- Tactic
- Collection Credential Access
- Technique
- T1056 Input Capture
- Sub-technique
- T1056.004 Credential API Hooking
- Canonical reference
- https://attack.mitre.org/techniques/T1056/004/
LogScale Detection Query
/* T1056.004 Credential API Hooking — CrowdStrike LogScale / Falcon CQL */
// Sub-detection 1: Remote thread creation into credential-handling processes
#event_simpleName = CreateRemoteThreadApiCall
| TargetImageFileName = /(?i)(lsass|winlogon|chrome|firefox|iexplore|msedge|outlook|mstsc|explorer|svchost)\.exe$/
| !match(field=ImageFileName, values=["csrss.exe", "svchost.exe", "services.exe", "wininit.exe", "MsMpEng.exe"],
ignoreCase=true)
| DetectionType := "RemoteThreadIntoCredProcess"
| TargetProcess := TargetImageFileName
| SourceProcess := ImageFileName
// Union: Sub-detection 2 — LSASS Process Open with credential-theft access masks
| union [
#event_simpleName = ProcessRollup2
| TargetImageFileName = /(?i)\\lsass\.exe$/
| DesiredAccess = /^(0x1010|0x1410|0x147a|0x143a|0x1438|0x1fffff)$/i
| !match(field=ImageFileName, values=["MsMpEng.exe", "svchost.exe", "csrss.exe", "werfault.exe",
"taskmgr.exe", "services.exe", "vmtoolsd.exe", "lsm.exe"],
ignoreCase=true)
| DetectionType := "LSASSMemoryAccessForHooking"
| TargetProcess := TargetImageFileName
| SourceProcess := ImageFileName
| AccessMask := DesiredAccess
]
// Union: Sub-detection 3 — Suspicious DLL load by name from non-system path
| union [
#event_simpleName = ClassifiedModuleLoad
| ImageFileName = /(?i)(hook|inject|detour|spy|intercept)/
| !match(field=ImageFileName, values=["\\Windows\\System32\\", "\\Windows\\SysWOW64\\",
"\\Program Files\\", "\\Program Files (x86)\\"],
ignoreCase=true)
| match(field=ParentBaseFileName,
values=["lsass.exe", "winlogon.exe", "chrome.exe", "firefox.exe",
"iexplore.exe", "msedge.exe", "outlook.exe", "explorer.exe", "svchost.exe"],
ignoreCase=true)
| DetectionType := "SuspiciousHookDLLLoaded"
| LoadedDLL := ImageFileName
| SourceProcess := ParentBaseFileName
]
// Union: Sub-detection 4 — Hook-related API names in CommandLine
| union [
#event_simpleName = ProcessRollup2
| CommandLine = /(?i)(SetWindowsHookEx|WriteProcessMemory|VirtualAllocEx|CredEnumerate|CryptUnprotectData|LsaLogonUser|IAT.{1,10}hook|inline.{1,10}hook)/
| DetectionType := "HookRelatedCommandLine"
| SourceProcess := ImageFileName
| CmdLine := CommandLine
]
// Aggregate results per host and source process
| groupBy(
[ComputerName, UserName, SourceProcess],
function=[
count(as=EventCount),
collect(DetectionType, multival=true, as=DetectionTypes),
collect(TargetProcess, multival=true, as=TargetProcesses),
collect(AccessMask, multival=true, as=AccessRights),
collect(LoadedDLL, multival=true, as=SuspiciousDLLs),
collect(CmdLine, multival=true, as=CommandLines),
min(@timestamp, as=FirstSeen),
max(@timestamp, as=LastSeen)
]
)
| RiskScore := length(DetectionTypes)
| TimeDeltaMinutes := round((LastSeen - FirstSeen) / 60000, 2)
| where RiskScore >= 1
| sort(RiskScore, order=desc)
| sort(EventCount, order=desc)CrowdStrike LogScale (Falcon CQL) detection for T1056.004 Credential API Hooking. Queries Falcon sensor events across four behavioral signals: CreateRemoteThreadApiCall into credential-handling processes, ProcessRollup2 events showing LSASS opened with credential-theft GrantedAccess masks, ClassifiedModuleLoad for suspicious hook/inject-named DLLs loaded from non-system paths, and ProcessRollup2 events with hook-related API names in the command line. Results are grouped per host and process with risk scoring.
Data Sources
Required Tables
False Positives & Tuning
- The Falcon sensor itself performs LSASS memory reads and process injection operations as part of its own credential telemetry — the sensor process (CSAgent.exe, CSFalconService.exe) should be permanently excluded from LSASS access detections
- Third-party EDR co-existence scenarios where two sensor products are installed simultaneously may cause each to flag the other's injection activities — validate against approved software inventory in CMDB
- Game anti-cheat services (BattlEye, EasyAntiCheat, Ricochet) regularly create remote threads into game executables and system processes as part of their tamper-detection mechanisms
- Application virtualization products (VMware ThinApp, Microsoft App-V) load DLLs with non-standard paths and names that may match hook/inject naming patterns outside of the standard Windows directories
- Browser extension native messaging hosts sometimes have command lines referencing memory manipulation APIs when communicating with browser sandbox processes — verify process parent chain confirms browser ancestry before escalating
Other platforms for T1056.004
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1SetWindowsHookEx Credential Hook via PowerShell and C# Inline
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with the inline C# hook code in the command line. Windows Security Event ID 4688 (if command line auditing enabled). Sysmon Event ID 7: Image loads for System.dll, user32.dll within the PowerShell process. Some EDRs will generate an API call event for SetWindowsHookEx.
- Test 2LSASS Process Access with Credential-Harvesting Access Rights
Expected signal: Sysmon Event ID 10 (ProcessAccess): SourceImage=powershell.exe, TargetImage=lsass.exe, GrantedAccess=0x0410 (PROCESS_VM_READ | PROCESS_QUERY_INFORMATION). Windows Security Event ID 4656 (Object access — process) if object access auditing is enabled. EDR products will typically generate a high-severity alert for any LSASS access from PowerShell.
- Test 3LD_PRELOAD Hook to Intercept libc read() (Linux)
Expected signal: Linux audit log (auditd): execve syscall for 'cat' with environment containing LD_PRELOAD=/tmp/hooktest.so. Syslog entries showing the shared library compilation (gcc) and execution. /proc/PID/maps for the cat process will show /tmp/hooktest.so loaded. The hook_test.log file creation captured by inotify or auditd file watches.
- Test 4CreateRemoteThread into Browser Process Simulating IAT Hook Deployment
Expected signal: Sysmon Event ID 8 (CreateRemoteThread): SourceImage=powershell.exe, TargetImage=notepad.exe, [email protected], NewThreadId will be populated. Sysmon Event ID 1: notepad.exe process created by powershell.exe parent. Windows Security Event ID 4688 for notepad.exe creation. EDR will generate high-severity alert for CreateRemoteThread from PowerShell into any process.
References (14)
- https://attack.mitre.org/techniques/T1056/004/
- https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
- https://intezer.com/blog/research/new-linux-threat-symbiote/
- https://www.adlice.com/userland-rootkits-part-1-iat-hooks/
- https://www.mwrinfosecurity.com/our-thinking/dynamic-hooking-techniques-user-mode/
- https://www.scribd.com/document/68671361/Inline-Hooking-in-Windows
- https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx
- https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html
- https://security.stackexchange.com/questions/17904/what-are-the-methods-to-find-hooked-functions-and-apis
- https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md
- https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif.gen!I&threatId=-2147336918
- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/trickbot
- https://blogs.blackberry.com/en/2022/06/symbiote-a-new-nearly-impossible-to-detect-linux-threat
Unlock Pro Content
Get the full detection package for T1056.004 including response playbook, investigation guide, and atomic red team tests.