Detect Credential API Hooking in Microsoft Sentinel
Adversaries may hook into Windows API functions or Linux/macOS system functions to collect user credentials. Unlike keylogging, this technique specifically targets API functions whose parameters reveal authentication credentials. On Windows, this includes hook procedures (SetWindowsHookEx), Import Address Table (IAT) hooking, and inline hooking of functions such as LsaLogonUser, SamIGetPrivateData, or CryptUnprotectData. On Linux and macOS, adversaries abuse LD_PRELOAD or DYLD_INSERT_LIBRARIES to inject shared libraries that intercept credential-handling functions like libc read() as used by SSH/SCP. Malware families including Ursnif, TrickBot, Zeus Panda, Carberp, and FinFisher use these techniques extensively.
MITRE ATT&CK
- Tactic
- Collection Credential Access
- Technique
- T1056 Input Capture
- Sub-technique
- T1056.004 Credential API Hooking
- Canonical reference
- https://attack.mitre.org/techniques/T1056/004/
KQL Detection Query
let CredentialAPIs = dynamic([
"LsaLogonUser", "SamIGetPrivateData", "CryptUnprotectData",
"CredEnumerateA", "CredEnumerateW", "CredReadA", "CredReadW",
"WlxLoggedOnSAS", "NtLmSsp", "SsprChangePasswordCaller",
"GetUserNameA", "GetUserNameW", "LookupAccountNameA",
"CreateWindowEx", "SetWindowsHookEx", "SetWindowsHookExA", "SetWindowsHookExW"
]);
let SuspiciousInjectionProcesses = dynamic([
"lsass.exe", "winlogon.exe", "explorer.exe", "svchost.exe",
"chrome.exe", "firefox.exe", "iexplore.exe", "msedge.exe",
"outlook.exe", "mstsc.exe"
]);
// Detection 1: Process injection / remote thread creation into credential-handling processes
let RemoteThreadIntoCredProcs = DeviceEvents
| where Timestamp > ago(24h)
| where ActionType == "CreateRemoteThreadApiCall"
| where InitiatingProcessFileName !in~ ("csrss.exe", "svchost.exe", "services.exe", "wininit.exe")
| where FileName in~ (SuspiciousInjectionProcesses)
| project Timestamp, DeviceName, AccountName, ActionType,
FileName, InitiatingProcessFileName, InitiatingProcessCommandLine,
InitiatingProcessId, ProcessId, InitiatingProcessParentFileName,
DetectionType = "RemoteThreadIntoCredentialProcess";
// Detection 2: DLL image loads associated with hooking frameworks
let SuspiciousHookingDLLs = DeviceImageLoadEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ (SuspiciousInjectionProcesses)
| where FileName has_any ("hook", "inject", "detour", "api_ms_win_security", "spy", "monitor")
or SHA256 in~ ("") // Enrich with known malicious hashes
| where not (FolderPath has_any ("\\Windows\\System32\\", "\\Windows\\SysWOW64\\", "\\Program Files\\"))
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, SHA256,
InitiatingProcessFileName, InitiatingProcessCommandLine,
DetectionType = "SuspiciousHookingDLLLoaded";
// Detection 3: SetWindowsHookEx API calls from unusual processes
let HookExAPICalls = DeviceEvents
| where Timestamp > ago(24h)
| where ActionType has_any ("SetWindowsHookEx", "NtSetInformationProcess")
| where InitiatingProcessFileName !in~ ("explorer.exe", "csrss.exe", "dwm.exe", "userinit.exe", "ctfmon.exe")
| project Timestamp, DeviceName, AccountName, ActionType,
InitiatingProcessFileName, InitiatingProcessCommandLine,
InitiatingProcessFolderPath, InitiatingProcessParentFileName,
DetectionType = "SuspiciousHookAPICall";
// Detection 4: Processes accessing LSASS memory (credential theft precursor)
let LSASSAccess = DeviceEvents
| where Timestamp > ago(24h)
| where ActionType == "OpenProcessApiCall"
| where FileName =~ "lsass.exe"
| where InitiatingProcessFileName !in~ (
"MsMpEng.exe", "svchost.exe", "csrss.exe", "werfault.exe",
"taskmgr.exe", "services.exe", "WmiPrvSE.exe", "lsm.exe",
"vmtoolsd.exe", "VGAuthService.exe", "AmSvc.exe"
)
| project Timestamp, DeviceName, AccountName, ActionType,
FileName, InitiatingProcessFileName, InitiatingProcessCommandLine,
InitiatingProcessFolderPath, InitiatingProcessParentFileName,
DetectionType = "LSASSAccessForHooking";
union RemoteThreadIntoCredProcs, SuspiciousHookingDLLs, HookExAPICalls, LSASSAccess
| summarize EventCount=count(), DetectionTypes=make_set(DetectionType),
FirstSeen=min(Timestamp), LastSeen=max(Timestamp)
by DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine
| extend RiskScore = array_length(DetectionTypes)
| sort by RiskScore desc, LastSeen descDetects credential API hooking activity in Microsoft Defender for Endpoint by combining four detection patterns: (1) remote thread creation into credential-handling processes such as lsass.exe and browser processes, (2) suspicious DLL image loads associated with hooking frameworks loaded into sensitive processes, (3) SetWindowsHookEx and related API calls from unexpected processes, and (4) unauthorized LSASS memory access that is a prerequisite for credential API hooking. Results are aggregated by initiating process and a risk score calculated based on how many detection categories were triggered.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate security products (AV, EDR agents, DLP tools) that use hooking internally to monitor API calls — MsMpEng.exe, CylanceSvc.exe, CbDefense.exe
- Accessibility software (screen readers, magnifiers, input helpers) that use SetWindowsHookEx to intercept keyboard/mouse input — JAWS, NVDA, ZoomText
- Application compatibility shims and compatibility layers (AppHelp, Windows Shims) that hook APIs for legacy application support
- Debugging tools and profilers (WinDbg, Visual Studio debugger, dotTrace, dotMemory) that legitimately attach to processes and intercept API calls
- Remote administration and screen-sharing software (TeamViewer, AnyDesk, RDP hooks in mstsc.exe) that use hooks for display capture
Other platforms for T1056.004
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1SetWindowsHookEx Credential Hook via PowerShell and C# Inline
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with the inline C# hook code in the command line. Windows Security Event ID 4688 (if command line auditing enabled). Sysmon Event ID 7: Image loads for System.dll, user32.dll within the PowerShell process. Some EDRs will generate an API call event for SetWindowsHookEx.
- Test 2LSASS Process Access with Credential-Harvesting Access Rights
Expected signal: Sysmon Event ID 10 (ProcessAccess): SourceImage=powershell.exe, TargetImage=lsass.exe, GrantedAccess=0x0410 (PROCESS_VM_READ | PROCESS_QUERY_INFORMATION). Windows Security Event ID 4656 (Object access — process) if object access auditing is enabled. EDR products will typically generate a high-severity alert for any LSASS access from PowerShell.
- Test 3LD_PRELOAD Hook to Intercept libc read() (Linux)
Expected signal: Linux audit log (auditd): execve syscall for 'cat' with environment containing LD_PRELOAD=/tmp/hooktest.so. Syslog entries showing the shared library compilation (gcc) and execution. /proc/PID/maps for the cat process will show /tmp/hooktest.so loaded. The hook_test.log file creation captured by inotify or auditd file watches.
- Test 4CreateRemoteThread into Browser Process Simulating IAT Hook Deployment
Expected signal: Sysmon Event ID 8 (CreateRemoteThread): SourceImage=powershell.exe, TargetImage=notepad.exe, [email protected], NewThreadId will be populated. Sysmon Event ID 1: notepad.exe process created by powershell.exe parent. Windows Security Event ID 4688 for notepad.exe creation. EDR will generate high-severity alert for CreateRemoteThread from PowerShell into any process.
References (14)
- https://attack.mitre.org/techniques/T1056/004/
- https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
- https://intezer.com/blog/research/new-linux-threat-symbiote/
- https://www.adlice.com/userland-rootkits-part-1-iat-hooks/
- https://www.mwrinfosecurity.com/our-thinking/dynamic-hooking-techniques-user-mode/
- https://www.scribd.com/document/68671361/Inline-Hooking-in-Windows
- https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx
- https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html
- https://security.stackexchange.com/questions/17904/what-are-the-methods-to-find-hooked-functions-and-apis
- https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md
- https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif.gen!I&threatId=-2147336918
- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/trickbot
- https://blogs.blackberry.com/en/2022/06/symbiote-a-new-nearly-impossible-to-detect-linux-threat
Unlock Pro Content
Get the full detection package for T1056.004 including response playbook, investigation guide, and atomic red team tests.