Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0139: Detection of Credential Harvesting via API Hooking

This detection strategy is about finding credential theft performed through API or system-function hooking rather than simple keystroke capture. For leader...

EnterpriseDET0139Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This detection strategy is about finding credential theft performed through API or system-function hooking rather than simple keystroke capture. For leaders, the practical concern is that credentials may be exposed inside normal authentication workflows on Windows, Linux, or macOS endpoints before traditional logon audit data shows anything obviously wrong. Because the ATT&CK detection strategy has no official detection text, organizations should treat this as a coverage-validation topic, not as a ready-made analytic.

Executive priority

Prioritize this where endpoint credential theft would materially affect business continuity, privileged access, incident response scope, or audit confidence. Executives should ask whether SOC and IR teams can prove they collect endpoint evidence capable of showing suspicious API/function hooking behavior, not just authentication success/failure logs. This is relevant to identity risk because stolen credentials can undermine otherwise valid access controls.

Technical view

DET0139 detects T1056.004, Credential API Hooking, associated with collection and credential-access tactics. The related technique applies to Windows, Linux, and macOS, but the detection strategy itself does not specify platforms, data sources, analytics, or detection logic. SOC and detection teams should validate whether endpoint telemetry can identify abnormal process behavior involving API or system-function hooks around authentication-related activity, and whether investigations can connect that activity to credential exposure risk without relying only on downstream account misuse.

Likely telemetry

  • Endpoint process execution and ancestry
  • Endpoint security/EDR events for code injection, hooking, or suspicious in-memory behavior
  • Loaded module/library events where available
  • Authentication-related process activity on Windows, Linux, and macOS systems
  • File and memory indicators associated with credential-access tooling, where locally collected

Detection direction

  • Do not assume coverage from login logs alone; this behavior may occur before credentials are used elsewhere.
  • Validate endpoint visibility for suspicious hooking or tampering around authentication-related processes and libraries.
  • Tune detections to distinguish legitimate security, accessibility, debugging, or instrumentation tools from unauthorized hooking behavior.
  • Correlate endpoint hooking signals with credential-access context, unusual child processes, persistence, or later identity activity.
  • Because MITRE provides no official detection text for this strategy, document local analytic logic, data dependencies, and known blind spots as part of detection engineering evidence.

Mitigation priorities

  • Harden endpoints and privileged workstations first, especially systems where credential theft would create high business impact.
  • Ensure endpoint detection and response or equivalent host monitoring is deployed and producing usable telemetry for Windows, Linux, and macOS where those platforms are in scope.
  • Reduce credential exposure through least privilege, privileged access management, and strong authentication controls, recognizing that MFA does not replace endpoint compromise detection.
  • Use IR readiness exercises to confirm teams can triage suspected API hooking and determine whether credentials require reset or session revocation.
  • Maintain compliance evidence showing both preventive controls and monitoring coverage for credential-access behaviors, rather than only authentication audit logs.
Analyst notes and limits

The ATT&CK object is a detection strategy named Detection of Credential Harvesting via API Hooking and maps to T1056.004 Credential API Hooking. The available relationship context supports credential-access and collection framing and the related platforms Windows, Linux, and macOS. No official ATT&CK description or detection guidance is provided for DET0139, so this take focuses on defensive validation questions and telemetry requirements.

This summary is constrained by sparse official fields. It does not assert active exploitation, actor attribution, specific tooling, guaranteed detection coverage, or a complete analytic. Local endpoint architecture, EDR capabilities, operating systems in scope, and authentication workflows are required to determine practical coverage.

Official MITRE ATT&CK definition

Detection of Credential Harvesting via API Hooking

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1056.004 Credential API Hooking Sub-technique This object detects Credential API Hooking.
Relationship explorer

All related ATT&CK context

detects · Technique T1056.004: Credential API Hooking Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
9dc88fd88c5b6fef...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 9dc88fd88c5b…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0139
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use