Esc

Credential API Hooking - T1056.004

(ATT&CK® Technique)

Definition

Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials. Unlike Keylogging, this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:

D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.

        graph LR;

     T1056004["Credential API Hooking"] --> |may-modify| ProcessCodeSegment["Process Code Segment"]; class T1056004 OffensiveTechniqueNode;
        class ProcessCodeSegment ArtifactNode; click ProcessCodeSegment href "/dao/artifact/d3f:ProcessCodeSegment";
        click T1056004 href "/offensive-technique/attack/T1056.004/"; click ProcessCodeSegment href "/dao/artifact/d3f:ProcessCodeSegment";             MemoryBoundaryTracking["Memory Boundary Tracking"] -->
          | analyzes | ProcessCodeSegment["Process Code Segment"];

          MemoryBoundaryTracking["Memory Boundary Tracking"] -.->
            | may-detect | T1056004["Credential API Hooking"] ;
          class MemoryBoundaryTracking DefensiveTechniqueNode;
          class ProcessCodeSegment ArtifactNode;
          click MemoryBoundaryTracking href "/technique/d3f:MemoryBoundaryTracking";              SegmentAddressOffsetRandomization["Segment Address Offset Randomization"] -->
          | obfuscates | ProcessCodeSegment["Process Code Segment"];

          SegmentAddressOffsetRandomization["Segment Address Offset Randomization"] -.->
            | may-harden | T1056004["Credential API Hooking"] ;
          class SegmentAddressOffsetRandomization DefensiveTechniqueNode;
          class ProcessCodeSegment ArtifactNode;
          click SegmentAddressOffsetRandomization href "/technique/d3f:SegmentAddressOffsetRandomization"; ProcessSegmentExecutionPrevention["Process Segment Execution Prevention"] -->
          | neutralizes | ProcessCodeSegment["Process Code Segment"];

          ProcessSegmentExecutionPrevention["Process Segment Execution Prevention"] -.->
            | may-harden | T1056004["Credential API Hooking"] ;
          class ProcessSegmentExecutionPrevention DefensiveTechniqueNode;
          class ProcessCodeSegment ArtifactNode;
          click ProcessSegmentExecutionPrevention href "/technique/d3f:ProcessSegmentExecutionPrevention"; ProcessCodeSegmentVerification["Process Code Segment Verification"] -->
          | verifies | ProcessCodeSegment["Process Code Segment"];

          ProcessCodeSegmentVerification["Process Code Segment Verification"] -.->
            | may-detect | T1056004["Credential API Hooking"] ;
          class ProcessCodeSegmentVerification DefensiveTechniqueNode;
          class ProcessCodeSegment ArtifactNode;
          click ProcessCodeSegmentVerification href "/technique/d3f:ProcessCodeSegmentVerification";

json