T1056.004 Splunk · SPL

Detect Credential API Hooking in Splunk

Adversaries may hook into Windows API functions or Linux/macOS system functions to collect user credentials. Unlike keylogging, this technique specifically targets API functions whose parameters reveal authentication credentials. On Windows, this includes hook procedures (SetWindowsHookEx), Import Address Table (IAT) hooking, and inline hooking of functions such as LsaLogonUser, SamIGetPrivateData, or CryptUnprotectData. On Linux and macOS, adversaries abuse LD_PRELOAD or DYLD_INSERT_LIBRARIES to inject shared libraries that intercept credential-handling functions like libc read() as used by SSH/SCP. Malware families including Ursnif, TrickBot, Zeus Panda, Carberp, and FinFisher use these techniques extensively.

MITRE ATT&CK

Tactic
Collection Credential Access
Technique
T1056 Input Capture
Sub-technique
T1056.004 Credential API Hooking
Canonical reference
https://attack.mitre.org/techniques/T1056/004/

SPL Detection Query

Splunk (SPL)
spl 
index=sysmon sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
| eval EventCode=coalesce(EventCode, event_id)
(
  (
    EventCode=8
    (TargetImage="*\\lsass.exe" OR TargetImage="*\\winlogon.exe" OR
     TargetImage="*\\chrome.exe" OR TargetImage="*\\firefox.exe" OR
     TargetImage="*\\iexplore.exe" OR TargetImage="*\\msedge.exe" OR
     TargetImage="*\\outlook.exe" OR TargetImage="*\\mstsc.exe" OR
     TargetImage="*\\explorer.exe" OR TargetImage="*\\svchost.exe")
    NOT (SourceImage="*\\csrss.exe" OR SourceImage="*\\svchost.exe"
         OR SourceImage="*\\services.exe" OR SourceImage="*\\wininit.exe"
         OR SourceImage="*\\MsMpEng.exe")
  )
  OR
  (
    EventCode=10
    TargetImage="*\\lsass.exe"
    (GrantedAccess="0x1010" OR GrantedAccess="0x1410" OR
     GrantedAccess="0x147a" OR GrantedAccess="0x143a" OR
     GrantedAccess="0x1438" OR GrantedAccess="0x1fffff")
    NOT (SourceImage="*\\MsMpEng.exe" OR SourceImage="*\\svchost.exe"
         OR SourceImage="*\\csrss.exe" OR SourceImage="*\\werfault.exe"
         OR SourceImage="*\\taskmgr.exe" OR SourceImage="*\\services.exe"
         OR SourceImage="*\\vmtoolsd.exe" OR SourceImage="*\\lsm.exe")
  )
  OR
  (
    EventCode=7
    (ImageLoaded="*hook*" OR ImageLoaded="*inject*" OR ImageLoaded="*detour*"
     OR ImageLoaded="*spy*" OR ImageLoaded="*intercept*")
    NOT (ImageLoaded="*\\Windows\\System32\\*" OR ImageLoaded="*\\Windows\\SysWOW64\\*"
         OR ImageLoaded="*\\Program Files\\*" OR ImageLoaded="*\\Program Files (x86)\\*")
  )
  OR
  (
    EventCode=1
    (CommandLine="*SetWindowsHookEx*" OR CommandLine="*WriteProcessMemory*"
     OR CommandLine="*VirtualAllocEx*" OR CommandLine="*CredEnumerate*"
     OR CommandLine="*CryptUnprotectData*" OR CommandLine="*LsaLogonUser*"
     OR CommandLine="*IAT*hook*" OR CommandLine="*inline*hook*")
  )
)
| eval DetectionType=case(
    EventCode==8, "RemoteThreadCreateIntoCredProcess",
    EventCode==10, "LSASSMemoryAccessForHooking",
    EventCode==7, "SuspiciousHookDLLLoaded",
    EventCode==1, "HookRelatedCommandLine",
    true(), "Unknown"
  )
| eval TargetProc=coalesce(TargetImage, "N/A")
| eval SourceProc=coalesce(SourceImage, Image, "N/A")
| eval AccessGranted=coalesce(GrantedAccess, "N/A")
| eval DLLLoaded=coalesce(ImageLoaded, "N/A")
| eval CmdLine=coalesce(CommandLine, "N/A")
| stats count as EventCount,
        values(DetectionType) as DetectionTypes,
        values(TargetProc) as TargetProcesses,
        values(AccessGranted) as AccessRights,
        values(DLLLoaded) as SuspiciousDLLs,
        earliest(_time) as FirstSeen,
        latest(_time) as LastSeen
        by host, SourceProc, CmdLine, User
| eval RiskScore=mvcount(DetectionTypes)
| eval TimeDeltaMinutes=round((LastSeen - FirstSeen) / 60, 2)
| where RiskScore >= 1
| table host, User, SourceProc, CmdLine, DetectionTypes, TargetProcesses,
        AccessRights, SuspiciousDLLs, EventCount, RiskScore,
        FirstSeen, LastSeen, TimeDeltaMinutes
| sort - RiskScore, - EventCount
high severity medium confidence

Detects credential API hooking using Sysmon logs across four event types: (1) Sysmon Event ID 8 (CreateRemoteThread) into credential-handling processes, (2) Sysmon Event ID 10 (ProcessAccess) against lsass.exe with suspicious granted access rights associated with hooking, (3) Sysmon Event ID 7 (ImageLoad) for DLLs with hook-related names loaded from non-system paths, and (4) Sysmon Event ID 1 (Process Create) where command lines reference hooking-related API names. Results are aggregated by host and source process with a risk score derived from how many detection categories fired.

Data Sources

Process: OS API ExecutionProcess: Process AccessModule: Module LoadProcess: Process CreationSysmon Event ID 1, 7, 8, 10

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Legitimate security products (AV, EDR agents, DLP tools) that use hooking internally — MsMpEng.exe, CylanceSvc.exe, SentinelOne, CrowdStrike Falcon
  • Accessibility software (JAWS, NVDA, ZoomText) that uses SetWindowsHookEx for input interception
  • Debugging tools (WinDbg, Visual Studio, OllyDbg, x64dbg) and performance profilers that access process memory
  • Virtualization guest tools (VMware Tools vmtoolsd.exe, VirtualBox additions) that legitimately access system processes
  • Application compatibility shims and compatibility layers managed by Windows that hook APIs for legacy software support
Download portable Sigma rule (.yml)

Other platforms for T1056.004

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1SetWindowsHookEx Credential Hook via PowerShell and C# Inline

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with the inline C# hook code in the command line. Windows Security Event ID 4688 (if command line auditing enabled). Sysmon Event ID 7: Image loads for System.dll, user32.dll within the PowerShell process. Some EDRs will generate an API call event for SetWindowsHookEx.

  2. Test 2LSASS Process Access with Credential-Harvesting Access Rights

    Expected signal: Sysmon Event ID 10 (ProcessAccess): SourceImage=powershell.exe, TargetImage=lsass.exe, GrantedAccess=0x0410 (PROCESS_VM_READ | PROCESS_QUERY_INFORMATION). Windows Security Event ID 4656 (Object access — process) if object access auditing is enabled. EDR products will typically generate a high-severity alert for any LSASS access from PowerShell.

  3. Test 3LD_PRELOAD Hook to Intercept libc read() (Linux)

    Expected signal: Linux audit log (auditd): execve syscall for 'cat' with environment containing LD_PRELOAD=/tmp/hooktest.so. Syslog entries showing the shared library compilation (gcc) and execution. /proc/PID/maps for the cat process will show /tmp/hooktest.so loaded. The hook_test.log file creation captured by inotify or auditd file watches.

  4. Test 4CreateRemoteThread into Browser Process Simulating IAT Hook Deployment

    Expected signal: Sysmon Event ID 8 (CreateRemoteThread): SourceImage=powershell.exe, TargetImage=notepad.exe, [email protected], NewThreadId will be populated. Sysmon Event ID 1: notepad.exe process created by powershell.exe parent. Windows Security Event ID 4688 for notepad.exe creation. EDR will generate high-severity alert for CreateRemoteThread from PowerShell into any process.

Last updated: 2026-04-16 Research depth: deep
References (14)

Unlock Pro Content

Get the full detection package for T1056.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1056Input Capture

Related Sub-techniques

T1056.001KeyloggingT1056.002GUI Input CaptureT1056.003Web Portal Capture

Related Techniques

T1056Input CaptureT1056.001KeyloggingT1055Process InjectionT1055.001Dynamic-link Library InjectionT1055.012Process HollowingT1003.001LSASS MemoryT1547.006Kernel Modules and ExtensionsT1574.001DLLT1574.002DLL Side-LoadingT1134Access Token Manipulation

Same Tactic: Collection

Popular Detections