title: Credential API Hooking (T1056.004)
id: df00tech-t1056-004
status: experimental
description: "Adversaries may hook into Windows API functions or Linux/macOS system functions to collect user credentials. Unlike keylogging, this technique specifically targets API functions whose parameters reveal authentication credentials. On Windows, this includes hook procedures (SetWindowsHookEx), Import Address Table (IAT) hooking, and inline hooking of functions such as LsaLogonUser, SamIGetPrivateData, or CryptUnprotectData. On Linux and macOS, adversaries abuse LD_PRELOAD or DYLD_INSERT_LIBRARIES to inject shared libraries that intercept credential-handling functions like libc read() as used by SSH/SCP. Malware families including Ursnif, TrickBot, Zeus Panda, Carberp, and FinFisher use these techniques extensively."
references:
  - https://attack.mitre.org/techniques/T1056/004/
  - https://df00tech.com/detections/T1056.004
author: df00tech
date: 2026/04/16
tags:
  - attack.t1056.004
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate security products (AV, EDR agents, DLP tools) that use hooking internally to monitor API calls — MsMpEng.exe, CylanceSvc.exe, CbDefense.exe"
  - "Accessibility software (screen readers, magnifiers, input helpers) that use SetWindowsHookEx to intercept keyboard/mouse input — JAWS, NVDA, ZoomText"
  - "Application compatibility shims and compatibility layers (AppHelp, Windows Shims) that hook APIs for legacy application support"
  - "Debugging tools and profilers (WinDbg, Visual Studio debugger, dotTrace, dotMemory) that legitimately attach to processes and intercept API calls"
  - "Remote administration and screen-sharing software (TeamViewer, AnyDesk, RDP hooks in mstsc.exe) that use hooks for display capture"
level: high