Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T0874: Hooking

Adversaries may hook into application programming interface (API) functions used by processes to redirect calls for execution and privilege escalation means. Windows processes often leverage these API functions to perform tasks that require reusable system resources. Windows API functions are typically stored in dynamic-link libraries (DLLs) as exported functions. [1]

One type of hooking seen in ICS involves redirecting calls to these functions via import address table (IAT) hooking. IAT hooking uses modifications to a process IAT, where pointers to imported API functions are stored. [2]

ICST0874TechniqueObject v1.2 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Hooking in ICS matters because it can let malicious code alter how trusted control-system software calls operating system functions, potentially changing execution flow inside processes that operators and engineers rely on. The ATT&CK entry specifically describes API and import address table hooking, with ICS relevance supported by references to Stuxnet and Triton relationships. For executives, the decision point is not “do we know every hook,” but whether critical ICS workstations, HMIs, control servers, historians, gateways, remote-access systems, and safety-related assets have enough integrity monitoring, library-loading control, and forensic readiness to spot unauthorized code redirection before it undermines operational trust.

Executive priority

Prioritize this as an operational resilience and assurance issue for high-consequence ICS assets. Hooking can blur the line between a legitimate process and unauthorized behavior, making normal application allowlists or process-name reviews insufficient. Leaders should ask whether integrity baselines exist for critical ICS software, whether changes after reboots, downloads, or restarts are verified, and whether incident responders can collect process, module, and memory evidence without disrupting operations. This also supports audit and compliance evidence around software integrity, configuration assurance, and control of untrusted code loading.

Technical view

ATT&CK provides no official detection text and no tactics for T0874, so SOC and IR teams should validate coverage around the described behavior: API call redirection and IAT modification in processes used by ICS applications. The relationship context shows a detection strategy, DET0722 Detection of Hooking, and mitigations M0944 Restrict Library Loading and M0947 Audit. Defensive validation should focus on critical targeted asset classes, especially Windows-based operator and engineering systems where the description’s Windows API/DLL/IAT details are directly relevant, while also considering integrity verification for embedded, Linux, and network ICS assets listed in the target relationships.

Likely telemetry

  • Process and loaded module/DLL inventory for ICS applications and supporting services
  • File integrity and cryptographic hash baselines for critical software, firmware, programs, and configurations
  • Evidence of library loading behavior and unexpected or untrusted code loaded by trusted processes
  • Memory or process inspection artifacts capable of identifying modified import address tables or redirected API calls
  • Change records and audit results after device reboots, program downloads, program restarts, or software updates

Detection direction

  • Treat process name alone as weak evidence; validate whether trusted ICS processes have unexpected modules, altered import tables, or integrity deviations from known-good baselines.
  • Use DET0722 as the ATT&CK-linked detection strategy reference, but confirm locally what it requires because the supplied object does not include detailed detection logic.
  • Tune carefully for legitimate vendor software, diagnostics, drivers, security tools, and updates that may load libraries or alter process behavior in approved ways.
  • Prioritize monitoring on assets named in the relationships: workstations, HMIs, control servers, data historians, application servers, data gateways, jump hosts, VPN servers, and safety/control devices where feasible.
  • Account for blind spots on embedded and network devices where host-level process or memory telemetry may be limited; compensate with integrity checks, configuration comparison, and vendor-supported collection methods.

Mitigation priorities

  • Start with M0947 Audit: establish known-good baselines and perform periodic integrity checks of software, firmware, programs, permissions, configurations, and critical files.
  • Apply M0944 Restrict Library Loading to reduce abuse of operating system and software library-loading mechanisms and investigate software that permits untrusted code loading.
  • Sequence controls by operational criticality: operator workstations, HMIs, control servers, historians, jump hosts, VPN servers, gateways, and safety-related assets should receive earlier validation.
  • Integrate integrity verification into maintenance windows, reboots, program downloads, and program restarts so checks are operationally safe and repeatable.
  • Ensure incident response plans include evidence collection for loaded modules, process memory, and configuration state, with procedures appropriate for ICS uptime and safety constraints.
Analyst notes and limits

The ATT&CK object is sparse: tactics, platforms, aliases, and official detection are not specified. The technical description is Windows API/DLL/IAT-oriented, while relationship targets span Windows, Linux, Embedded, and Network asset types. Stuxnet and Triton are listed as software using this technique, which supports ICS materiality, but this take does not infer current exploitation or attribution.

This summary is based only on the supplied ATT&CK STIX fields, external references, and relationships. It does not establish that any environment is exposed or that any named detection will work without local telemetry, asset inventory, vendor constraints, and operational testing.

Official MITRE ATT&CK definition

Hooking

Adversaries may hook into application programming interface (API) functions used by processes to redirect calls for execution and privilege escalation means. Windows processes often leverage these API functions to perform tasks that require reusable system resources. Windows API functions are typically stored in dynamic-link libraries (DLLs) as exported functions. [1]

One type of hooking seen in ICS involves redirecting calls to these functions via import address table (IAT) hooking. IAT hooking uses modifications to a process IAT, where pointers to imported API functions are stored. [2]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Associated objects

Groups, software, and campaigns

Malware ICS

S0603: Stuxnet

Stuxnet was the first publicly reported malware to specifically target industrial control systems devices. Stuxnet is a large and complex malware that utilized multiple behaviors, including numerous zero-day vulnerabilities, a sophisticated Windows rootkit, and network infection routines.[1][2][3][4] Stuxnet was discovered in 2010, with some components being used as early as November 2008.[1]

Windows
Relationship explorer

All related ATT&CK context

mitigates · Mitigation M0944: Restrict Library Loading ICS targets · ICS Asset A0012: Jump Host ICS targets · ICS Asset A0003: Programmable Logic Controller (PLC) ICS targets · ICS Asset A0002: Human-Machine Interface (HMI) ICS targets · ICS Asset A0009: Data Gateway ICS targets · ICS Asset A0015: Switch ICS targets · ICS Asset A0007: Control Server ICS targets · ICS Asset A0006: Data Historian ICS targets · ICS Asset A0005: Intelligent Electronic Device (IED) ICS targets · ICS Asset A0001: Workstation ICS uses · Malware S0603: Stuxnet ICS targets · ICS Asset A0010: Safety Controller ICS targets · ICS Asset A0008: Application Server ICS targets · ICS Asset A0004: Remote Terminal Unit (RTU) ICS targets · ICS Asset A0014: Routers ICS mitigates · Mitigation M0947: Audit ICS targets · ICS Asset A0017: Distributed Control System (DCS) Controller ICS targets · ICS Asset A0018: Programmable Automation Controller (PAC) ICS uses · Malware S1009: Triton ICS detects · Detection Strategy DET0722: Detection of Hooking ICS targets · ICS Asset A0011: Virtual Private Network (VPN) Server ICS targets · ICS Asset A0016: Firewall ICS
Mitigations

Mitigation direction

Mitigation ICS

M0944: Restrict Library Loading

Prevent abuse of library loading mechanisms in the operating system and software to load untrusted code by configuring appropriate library loading mechanisms and investigating potential vulnerable software.

Mitigation ICS

M0947: Audit

Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. Perform periodic integrity checks of the device to validate the correctness of the firmware, software, programs, and configurations. Integrity checks, which typically include cryptographic hashes or digital signatures, should be compared to those obtained at known valid states, especially after events like device reboots, program downloads, or program restarts.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.2
Created
Modified
Raw hash
4cf44aca86069924...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.2 Current bundle 4cf44aca8606…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Enterprise ATT&CK

    Enterprise ATT&CK Hooking Retrieved. 2019/10/27

    Open source URL
  2. [2]
    Nicolas Falliere, Liam O Murchu, Eric Chien February 2011

    Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.

    Open source URL
  3. [3]
    mitre-attack T0874
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use