T1056.004 IBM QRadar · QRadar

Detect Credential API Hooking in IBM QRadar

Adversaries may hook into Windows API functions or Linux/macOS system functions to collect user credentials. Unlike keylogging, this technique specifically targets API functions whose parameters reveal authentication credentials. On Windows, this includes hook procedures (SetWindowsHookEx), Import Address Table (IAT) hooking, and inline hooking of functions such as LsaLogonUser, SamIGetPrivateData, or CryptUnprotectData. On Linux and macOS, adversaries abuse LD_PRELOAD or DYLD_INSERT_LIBRARIES to inject shared libraries that intercept credential-handling functions like libc read() as used by SSH/SCP. Malware families including Ursnif, TrickBot, Zeus Panda, Carberp, and FinFisher use these techniques extensively.

MITRE ATT&CK

Tactic
Collection Credential Access
Technique
T1056 Input Capture
Sub-technique
T1056.004 Credential API Hooking
Canonical reference
https://attack.mitre.org/techniques/T1056/004/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
/* T1056.004 Credential API Hooking — QRadar AQL */
SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  logsourcename(logsourceid) AS LogSource,
  CATEGORYNAME(category) AS EventCategory,
  username AS User,
  sourceip AS SourceIP,
  "SourceProcessImage" AS SourceProcess,
  "TargetProcessImage" AS TargetProcess,
  "GrantedAccess" AS AccessMask,
  "ImageLoaded" AS LoadedDLL,
  "CommandLine" AS CommandLine,
  CASE
    WHEN QIDNAME(qid) LIKE '%CreateRemoteThread%' THEN 'RemoteThreadIntoCredProcess'
    WHEN QIDNAME(qid) LIKE '%ProcessAccess%' AND "GrantedAccess" IN ('0x1010','0x1410','0x147a','0x143a','0x1438','0x1fffff') THEN 'LSASSMemoryAccessForHooking'
    WHEN QIDNAME(qid) LIKE '%ImageLoad%' AND (LOWER("ImageLoaded") LIKE '%hook%' OR LOWER("ImageLoaded") LIKE '%inject%' OR LOWER("ImageLoaded") LIKE '%detour%' OR LOWER("ImageLoaded") LIKE '%spy%') THEN 'SuspiciousHookDLLLoaded'
    WHEN QIDNAME(qid) LIKE '%ProcessCreate%' AND ("CommandLine" LIKE '%SetWindowsHookEx%' OR "CommandLine" LIKE '%WriteProcessMemory%' OR "CommandLine" LIKE '%VirtualAllocEx%' OR "CommandLine" LIKE '%CryptUnprotectData%' OR "CommandLine" LIKE '%LsaLogonUser%' OR "CommandLine" LIKE '%CredEnumerate%') THEN 'HookRelatedCommandLine'
    ELSE 'CredentialAPIHookingGeneric'
  END AS DetectionType,
  COUNT(*) OVER (PARTITION BY username, "SourceProcessImage") AS EventCount
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (
    SELECT id FROM logsourcetypes WHERE name LIKE '%Sysmon%' OR name LIKE '%Windows%'
  )
  AND starttime > NOW() - 86400000
  AND (
    /* Sysmon Event 8: CreateRemoteThread into credential processes */
    (
      QIDNAME(qid) LIKE '%CreateRemoteThread%'
      AND (
        "TargetProcessImage" LIKE '%\\lsass.exe'
        OR "TargetProcessImage" LIKE '%\\winlogon.exe'
        OR "TargetProcessImage" LIKE '%\\chrome.exe'
        OR "TargetProcessImage" LIKE '%\\firefox.exe'
        OR "TargetProcessImage" LIKE '%\\iexplore.exe'
        OR "TargetProcessImage" LIKE '%\\msedge.exe'
        OR "TargetProcessImage" LIKE '%\\outlook.exe'
        OR "TargetProcessImage" LIKE '%\\mstsc.exe'
        OR "TargetProcessImage" LIKE '%\\explorer.exe'
        OR "TargetProcessImage" LIKE '%\\svchost.exe'
      )
      AND "SourceProcessImage" NOT LIKE '%\\csrss.exe'
      AND "SourceProcessImage" NOT LIKE '%\\svchost.exe'
      AND "SourceProcessImage" NOT LIKE '%\\services.exe'
      AND "SourceProcessImage" NOT LIKE '%\\wininit.exe'
      AND "SourceProcessImage" NOT LIKE '%\\MsMpEng.exe'
    )
    OR
    /* Sysmon Event 10: LSASS Process Access with credential-theft access masks */
    (
      QIDNAME(qid) LIKE '%ProcessAccess%'
      AND "TargetProcessImage" LIKE '%\\lsass.exe'
      AND "GrantedAccess" IN ('0x1010','0x1410','0x147a','0x143a','0x1438','0x1fffff')
      AND "SourceProcessImage" NOT LIKE '%\\MsMpEng.exe'
      AND "SourceProcessImage" NOT LIKE '%\\svchost.exe'
      AND "SourceProcessImage" NOT LIKE '%\\csrss.exe'
      AND "SourceProcessImage" NOT LIKE '%\\werfault.exe'
      AND "SourceProcessImage" NOT LIKE '%\\taskmgr.exe'
      AND "SourceProcessImage" NOT LIKE '%\\services.exe'
      AND "SourceProcessImage" NOT LIKE '%\\vmtoolsd.exe'
      AND "SourceProcessImage" NOT LIKE '%\\lsm.exe'
    )
    OR
    /* Sysmon Event 7: Suspicious DLL image load with hook/inject naming */
    (
      QIDNAME(qid) LIKE '%ImageLoad%'
      AND (
        LOWER("ImageLoaded") LIKE '%hook%'
        OR LOWER("ImageLoaded") LIKE '%inject%'
        OR LOWER("ImageLoaded") LIKE '%detour%'
        OR LOWER("ImageLoaded") LIKE '%spy%'
        OR LOWER("ImageLoaded") LIKE '%intercept%'
      )
      AND "ImageLoaded" NOT LIKE '%\\Windows\\System32\\%'
      AND "ImageLoaded" NOT LIKE '%\\Windows\\SysWOW64\\%'
      AND "ImageLoaded" NOT LIKE '%\\Program Files\\%'
      AND "ImageLoaded" NOT LIKE '%\\Program Files (x86)\\%'
    )
    OR
    /* Sysmon Event 1 / Security 4688: Hook-related command line arguments */
    (
      QIDNAME(qid) LIKE '%ProcessCreate%'
      AND (
        "CommandLine" LIKE '%SetWindowsHookEx%'
        OR "CommandLine" LIKE '%WriteProcessMemory%'
        OR "CommandLine" LIKE '%VirtualAllocEx%'
        OR "CommandLine" LIKE '%CredEnumerate%'
        OR "CommandLine" LIKE '%CryptUnprotectData%'
        OR "CommandLine" LIKE '%LsaLogonUser%'
        OR LOWER("CommandLine") LIKE '%iat%hook%'
        OR LOWER("CommandLine") LIKE '%inline%hook%'
      )
    )
  )
ORDER BY EventTime DESC
critical severity high confidence

QRadar AQL detection for T1056.004 Credential API Hooking. Queries Sysmon Windows event logs for four behavioral signals: CreateRemoteThread into credential-handling processes (Sysmon 8), LSASS process access with known credential-theft GrantedAccess masks (Sysmon 10), suspicious hooking DLL loads by naming convention from non-system paths (Sysmon 7), and hook-related API names appearing in process command lines (Sysmon 1 / Security 4688).

Data Sources

IBM QRadar SIEMWindows Sysmon log sourceWindows Security Event log source

Required Tables

events

False Positives & Tuning

  • Endpoint detection and response (EDR) agents from vendors like CrowdStrike, SentinelOne, and Carbon Black routinely access LSASS memory with elevated access masks as part of their normal credential telemetry collection
  • Vulnerability scanners and penetration testing tools such as Metasploit, Cobalt Strike (in authorized red team engagements), and Mimikatz (in sanctioned environments) will generate all detection sub-types simultaneously
  • Legitimate accessibility or input automation software including AutoHotKey, Accessibility Insights, and UI Automation frameworks call SetWindowsHookEx as a core part of their operation
  • Software development environments and dynamic analysis sandboxes use process injection APIs during normal operation when loading plugins, debuggers, or profilers into target processes
  • Password synchronization utilities that bridge domain credentials to cloud identity providers may enumerate credential stores using CredEnumerate API calls
Download portable Sigma rule (.yml)

Other platforms for T1056.004

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1SetWindowsHookEx Credential Hook via PowerShell and C# Inline

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with the inline C# hook code in the command line. Windows Security Event ID 4688 (if command line auditing enabled). Sysmon Event ID 7: Image loads for System.dll, user32.dll within the PowerShell process. Some EDRs will generate an API call event for SetWindowsHookEx.

  2. Test 2LSASS Process Access with Credential-Harvesting Access Rights

    Expected signal: Sysmon Event ID 10 (ProcessAccess): SourceImage=powershell.exe, TargetImage=lsass.exe, GrantedAccess=0x0410 (PROCESS_VM_READ | PROCESS_QUERY_INFORMATION). Windows Security Event ID 4656 (Object access — process) if object access auditing is enabled. EDR products will typically generate a high-severity alert for any LSASS access from PowerShell.

  3. Test 3LD_PRELOAD Hook to Intercept libc read() (Linux)

    Expected signal: Linux audit log (auditd): execve syscall for 'cat' with environment containing LD_PRELOAD=/tmp/hooktest.so. Syslog entries showing the shared library compilation (gcc) and execution. /proc/PID/maps for the cat process will show /tmp/hooktest.so loaded. The hook_test.log file creation captured by inotify or auditd file watches.

  4. Test 4CreateRemoteThread into Browser Process Simulating IAT Hook Deployment

    Expected signal: Sysmon Event ID 8 (CreateRemoteThread): SourceImage=powershell.exe, TargetImage=notepad.exe, [email protected], NewThreadId will be populated. Sysmon Event ID 1: notepad.exe process created by powershell.exe parent. Windows Security Event ID 4688 for notepad.exe creation. EDR will generate high-severity alert for CreateRemoteThread from PowerShell into any process.

Last updated: 2026-04-16 Research depth: deep
References (14)

Unlock Pro Content

Get the full detection package for T1056.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1056Input Capture

Related Sub-techniques

T1056.001KeyloggingT1056.002GUI Input CaptureT1056.003Web Portal Capture

Related Techniques

T1056Input CaptureT1056.001KeyloggingT1055Process InjectionT1055.001Dynamic-link Library InjectionT1055.012Process HollowingT1003.001LSASS MemoryT1547.006Kernel Modules and ExtensionsT1574.001DLLT1574.002DLL Side-LoadingT1134Access Token Manipulation

Same Tactic: Collection

Popular Detections