T1056.004 Sumo Logic CSE · Sumo

Detect Credential API Hooking in Sumo Logic CSE

Adversaries may hook into Windows API functions or Linux/macOS system functions to collect user credentials. Unlike keylogging, this technique specifically targets API functions whose parameters reveal authentication credentials. On Windows, this includes hook procedures (SetWindowsHookEx), Import Address Table (IAT) hooking, and inline hooking of functions such as LsaLogonUser, SamIGetPrivateData, or CryptUnprotectData. On Linux and macOS, adversaries abuse LD_PRELOAD or DYLD_INSERT_LIBRARIES to inject shared libraries that intercept credential-handling functions like libc read() as used by SSH/SCP. Malware families including Ursnif, TrickBot, Zeus Panda, Carberp, and FinFisher use these techniques extensively.

MITRE ATT&CK

Tactic
Collection Credential Access
Technique
T1056 Input Capture
Sub-technique
T1056.004 Credential API Hooking
Canonical reference
https://attack.mitre.org/techniques/T1056/004/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
/* T1056.004 Credential API Hooking — Sumo Logic CSE */
_sourceCategory="windows/sysmon" OR _sourceCategory="windows/security"
| json auto
/* Normalize EventCode across Sysmon XML and Security log formats */
| if(isNull(EventCode), if(!isNull(event_id), event_id, ""), EventCode) as EventCode
| where EventCode in ("8", "10", "7", "1", "4688")
/* Sub-detection 1: Remote thread creation into credential processes (Sysmon 8) */
| where
  (
    EventCode == "8"
    AND (
      TargetImage matches "*\\lsass.exe" OR
      TargetImage matches "*\\winlogon.exe" OR
      TargetImage matches "*\\chrome.exe" OR
      TargetImage matches "*\\firefox.exe" OR
      TargetImage matches "*\\iexplore.exe" OR
      TargetImage matches "*\\msedge.exe" OR
      TargetImage matches "*\\outlook.exe" OR
      TargetImage matches "*\\mstsc.exe" OR
      TargetImage matches "*\\explorer.exe" OR
      TargetImage matches "*\\svchost.exe"
    )
    AND NOT (
      SourceImage matches "*\\csrss.exe" OR
      SourceImage matches "*\\svchost.exe" OR
      SourceImage matches "*\\services.exe" OR
      SourceImage matches "*\\wininit.exe" OR
      SourceImage matches "*\\MsMpEng.exe"
    )
  )
  OR
  (
    /* Sub-detection 2: LSASS process access with credential-theft access masks (Sysmon 10) */
    EventCode == "10"
    AND TargetImage matches "*\\lsass.exe"
    AND GrantedAccess in ("0x1010", "0x1410", "0x147a", "0x143a", "0x1438", "0x1fffff")
    AND NOT (
      SourceImage matches "*\\MsMpEng.exe" OR
      SourceImage matches "*\\svchost.exe" OR
      SourceImage matches "*\\csrss.exe" OR
      SourceImage matches "*\\werfault.exe" OR
      SourceImage matches "*\\taskmgr.exe" OR
      SourceImage matches "*\\services.exe" OR
      SourceImage matches "*\\vmtoolsd.exe" OR
      SourceImage matches "*\\lsm.exe"
    )
  )
  OR
  (
    /* Sub-detection 3: Suspicious hooking DLL loaded from non-system path (Sysmon 7) */
    EventCode == "7"
    AND (
      toLowerCase(ImageLoaded) matches "*hook*" OR
      toLowerCase(ImageLoaded) matches "*inject*" OR
      toLowerCase(ImageLoaded) matches "*detour*" OR
      toLowerCase(ImageLoaded) matches "*spy*" OR
      toLowerCase(ImageLoaded) matches "*intercept*"
    )
    AND NOT (
      ImageLoaded matches "*\\Windows\\System32\\*" OR
      ImageLoaded matches "*\\Windows\\SysWOW64\\*" OR
      ImageLoaded matches "*\\Program Files\\*" OR
      ImageLoaded matches "*\\Program Files (x86)\\*"
    )
  )
  OR
  (
    /* Sub-detection 4: Hook API names in command line (Sysmon 1 / Security 4688) */
    EventCode in ("1", "4688")
    AND (
      CommandLine matches "*SetWindowsHookEx*" OR
      CommandLine matches "*WriteProcessMemory*" OR
      CommandLine matches "*VirtualAllocEx*" OR
      CommandLine matches "*CredEnumerate*" OR
      CommandLine matches "*CryptUnprotectData*" OR
      CommandLine matches "*LsaLogonUser*" OR
      toLowerCase(CommandLine) matches "*iat*hook*" OR
      toLowerCase(CommandLine) matches "*inline*hook*"
    )
  )
/* Enrich and normalize fields */
| if(EventCode == "8", "RemoteThreadIntoCredProcess",
    if(EventCode == "10", "LSASSMemoryAccessForHooking",
      if(EventCode == "7", "SuspiciousHookDLLLoaded",
        if(EventCode in ("1", "4688"), "HookRelatedCommandLine", "Unknown")
      )
    )
  ) as DetectionType
| if(!isNull(TargetImage), TargetImage, "N/A") as TargetProcess
| if(!isNull(SourceImage), SourceImage, if(!isNull(Image), Image, "N/A")) as SourceProcess
| if(!isNull(GrantedAccess), GrantedAccess, "N/A") as AccessMask
| if(!isNull(ImageLoaded), ImageLoaded, "N/A") as LoadedDLL
| if(!isNull(CommandLine), CommandLine, "N/A") as CmdLine
| if(!isNull(User), User, if(!isNull(SubjectUserName), SubjectUserName, "N/A")) as UserAccount
| timeslice 1h
| stats
    count as EventCount,
    values(DetectionType) as DetectionTypes,
    values(TargetProcess) as TargetProcesses,
    values(AccessMask) as AccessRights,
    values(LoadedDLL) as SuspiciousDLLs,
    min(_messageTime) as FirstSeen,
    max(_messageTime) as LastSeen
    by _timeslice, Computer, SourceProcess, CmdLine, UserAccount
| where EventCount >= 1
| fields -_timeslice
| sort by EventCount desc
critical severity high confidence

Sumo Logic detection for T1056.004 Credential API Hooking across four behavioral sub-detections using Sysmon and Windows Security event sources: remote thread injection into credential processes (Event 8), LSASS memory access with known hooking access masks (Event 10), suspicious DLL loads by name pattern from non-system paths (Event 7), and hook-related API names in process command lines (Events 1/4688). Results are aggregated per host and source process for analyst triage.

Data Sources

Sumo Logic Cloud SIEMWindows Sysmon log collectionWindows Security Event log collection

Required Tables

windows/sysmonwindows/security

False Positives & Tuning

  • Security software from CrowdStrike, SentinelOne, Cylance, and similar EDR vendors routinely generate LSASS process access events (Event 10) with elevated GrantedAccess values as part of their memory scanning and telemetry workflows
  • Automated red team tooling operating under an authorized penetration testing engagement will deliberately trigger all four sub-detections — correlate with change management records and authorized test windows
  • Legitimate UI automation frameworks (Python win32gui bindings, AutoHotKey scripts, Sikuli) call SetWindowsHookEx for keyboard and mouse hook installation and will generate HookRelatedCommandLine alerts
  • Application monitoring and APM agents (Dynatrace, AppDynamics, New Relic) inject DLLs into application processes for performance instrumentation — their DLL names may partially match hook/inject patterns
  • Software installers that perform in-process patching (MSI transforms, application virtualization) may load DLLs with detour-style names from temp or application paths outside of System32
Download portable Sigma rule (.yml)

Other platforms for T1056.004

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1SetWindowsHookEx Credential Hook via PowerShell and C# Inline

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with the inline C# hook code in the command line. Windows Security Event ID 4688 (if command line auditing enabled). Sysmon Event ID 7: Image loads for System.dll, user32.dll within the PowerShell process. Some EDRs will generate an API call event for SetWindowsHookEx.

  2. Test 2LSASS Process Access with Credential-Harvesting Access Rights

    Expected signal: Sysmon Event ID 10 (ProcessAccess): SourceImage=powershell.exe, TargetImage=lsass.exe, GrantedAccess=0x0410 (PROCESS_VM_READ | PROCESS_QUERY_INFORMATION). Windows Security Event ID 4656 (Object access — process) if object access auditing is enabled. EDR products will typically generate a high-severity alert for any LSASS access from PowerShell.

  3. Test 3LD_PRELOAD Hook to Intercept libc read() (Linux)

    Expected signal: Linux audit log (auditd): execve syscall for 'cat' with environment containing LD_PRELOAD=/tmp/hooktest.so. Syslog entries showing the shared library compilation (gcc) and execution. /proc/PID/maps for the cat process will show /tmp/hooktest.so loaded. The hook_test.log file creation captured by inotify or auditd file watches.

  4. Test 4CreateRemoteThread into Browser Process Simulating IAT Hook Deployment

    Expected signal: Sysmon Event ID 8 (CreateRemoteThread): SourceImage=powershell.exe, TargetImage=notepad.exe, [email protected], NewThreadId will be populated. Sysmon Event ID 1: notepad.exe process created by powershell.exe parent. Windows Security Event ID 4688 for notepad.exe creation. EDR will generate high-severity alert for CreateRemoteThread from PowerShell into any process.

Last updated: 2026-04-16 Research depth: deep
References (14)

Unlock Pro Content

Get the full detection package for T1056.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1056Input Capture

Related Sub-techniques

T1056.001KeyloggingT1056.002GUI Input CaptureT1056.003Web Portal Capture

Related Techniques

T1056Input CaptureT1056.001KeyloggingT1055Process InjectionT1055.001Dynamic-link Library InjectionT1055.012Process HollowingT1003.001LSASS MemoryT1547.006Kernel Modules and ExtensionsT1574.001DLLT1574.002DLL Side-LoadingT1134Access Token Manipulation

Same Tactic: Collection

Popular Detections