Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1056.004: Credential API Hooking

Adversaries may hook into Windows application programming interface (API) functions and Linux system functions to collect user credentials. Malicious hooking mechanisms may capture API or function calls that include parameters that reveal user authentication credentials.[1] Unlike Keylogging, this technique focuses specifically on API functions that include parameters that reveal user credentials.

In Windows, hooking involves redirecting calls to these functions and can be implemented via:

* **Hooks procedures**, which intercept and execute designated code in response to events such as messages, keystrokes, and mouse inputs.[2][3] * **Import address table (IAT) hooking**, which use modifications to a process’s IAT, where pointers to imported API functions are stored.[3][4][5] * **Inline hooking**, which overwrites the first bytes in an API function to redirect code flow.[3][6][5]

In Linux and macOS, adversaries may hook into system functions via the `LD_PRELOAD` (Linux) or `DYLD_INSERT_LIBRARIES` (macOS) environment variables, which enables loading shared libraries into a program’s address space. For example, an adversary may capture credentials by hooking into the `libc read` function leveraged by SSH or SCP.[7]

EnterpriseT1056.004Sub-techniqueObject v1.2 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Credential API Hooking matters because it can let malware collect credentials at the point applications handle authentication, often without relying on visible phishing prompts or ordinary keylogging. For leaders, the practical issue is whether endpoint and server monitoring can see tampering inside trusted processes on Windows, Linux, and macOS before stolen credentials become broader identity compromise.

Executive priority

Prioritize this as an identity and incident-response readiness problem, not only an endpoint malware problem. The technique is associated in ATT&CK with credential access and collection, and with multiple malware/software entries including TrickBot, Ursnif, FinFisher, Empire, and others. Executives should ask whether credential-theft investigations include process-memory and userland-hooking evidence, whether high-value authentication paths are covered by EDR and logging, and whether incident playbooks assume that passwords handled by an affected host may be exposed.

Technical view

For SOC, detection engineering, and IR teams, validate coverage for userland API/function tampering across the official platforms: Windows, Linux, and macOS. On Windows, ATT&CK describes hook procedures, import address table modification, and inline hooking. On Linux and macOS, ATT&CK describes shared-library injection through LD_PRELOAD and DYLD_INSERT_LIBRARIES, including possible credential capture from functions used by SSH or SCP. Because the ATT&CK object has no official detection text, use the related detection strategy DET0139 as a pointer, then prove locally that telemetry can identify suspicious hooks, unexpected library loads, modified API entry points, and credential-access behavior in sensitive processes.

Likely telemetry

  • Endpoint detection and response telemetry for process injection, loaded modules, and suspicious in-process code changes
  • Windows process, DLL/module, import table, and hook-related inspection data where available
  • Memory forensics or live response evidence for inline hooks and altered API function bytes
  • Linux environment variable and process launch telemetry involving LD_PRELOAD
  • macOS process launch and environment telemetry involving DYLD_INSERT_LIBRARIES

Detection direction

  • Confirm whether DET0139 or equivalent local analytics are implemented and tested against this ATT&CK technique, since the official technique entry does not provide detection guidance.
  • Tune for suspicious hooking in credential-handling processes rather than broad hook existence alone; legitimate security, accessibility, observability, and application tooling may also use hooks.
  • On Windows, validate visibility into hook procedures, IAT changes, and inline patching of API functions inside user processes.
  • On Linux and macOS, validate collection and alerting for unexpected LD_PRELOAD or DYLD_INSERT_LIBRARIES usage, especially for authentication-related tools.
  • During IR, treat endpoint-only absence of alerts cautiously; userland hooks and shared-library injection may require memory inspection or specialized response collection.

Mitigation priorities

  • Harden and monitor endpoints that process credentials, with priority on administrative workstations, jump hosts, developer systems, and servers used for remote access.
  • Restrict untrusted code execution and unexpected library loading where feasible through platform controls, application control, and least-privilege administration.
  • Ensure EDR or equivalent tooling can capture process/module/memory evidence needed for credential-theft triage, not just file-based malware indicators.
  • Use MFA and credential rotation procedures to reduce business impact when host-level credential capture is suspected; do not assume passwords remain safe after compromise of a credential-handling process.
  • Include this technique in incident response runbooks for credential theft, requiring scoping of affected accounts, hosts, and authentication applications.
Analyst notes and limits

This is ATT&CK technique T1056.004, a sub-technique of Input Capture, with tactics collection and credential-access. The object is not revoked or deprecated and is version 1.2 in ATT&CK release 19.1. Relationship context includes one detection strategy, DET0139, and multiple software/group uses. The former T1179 Hooking technique is revoked by this object, which is useful when normalizing older detections or reports.

The official ATT&CK detection field is not provided, so detection recommendations must be validated against local telemetry and the related DET0139 strategy rather than treated as MITRE-prescribed analytics. The object’s official platforms are Windows, Linux, and macOS; any relationship to software on other platforms should be handled as relationship context, not as a general platform claim for this technique.

Official MITRE ATT&CK definition

Credential API Hooking

Adversaries may hook into Windows application programming interface (API) functions and Linux system functions to collect user credentials. Malicious hooking mechanisms may capture API or function calls that include parameters that reveal user authentication credentials.[1] Unlike Keylogging, this technique focuses specifically on API functions that include parameters that reveal user credentials.

In Windows, hooking involves redirecting calls to these functions and can be implemented via:

* **Hooks procedures**, which intercept and execute designated code in response to events such as messages, keystrokes, and mouse inputs.[2][3] * **Import address table (IAT) hooking**, which use modifications to a process’s IAT, where pointers to imported API functions are stored.[3][4][5] * **Inline hooking**, which overwrites the first bytes in an API function to redirect code flow.[3][6][5]

In Linux and macOS, adversaries may hook into system functions via the `LD_PRELOAD` (Linux) or `DYLD_INSERT_LIBRARIES` (macOS) environment variables, which enables loading shared libraries into a program’s address space. For example, an adversary may capture credentials by hooking into the `libc read` function leveraged by SSH or SCP.[7]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

2 rows
Domain ID Name Relationship / procedure
Enterprise T1056 Input Capture This object subtechnique of Input Capture.
Enterprise T1179 Hooking Hooking revoked by this object.
Associated objects

Groups, software, and campaigns

Group Enterprise

G0068: PLATINUM

PLATINUM is an activity group that has targeted victims since at least 2009. The group has focused on targets associated with governments and related organizations in South and Southeast Asia. [1]

Malware Enterprise

S0330: Zeus Panda

Zeus Panda is a Trojan designed to steal banking information and other sensitive credentials for exfiltration. Zeus Panda’s original source code was leaked in 2011, allowing threat actors to use its source code as a basis for new malware variants. It is mainly used to target Windows operating systems ranging from Windows XP through Windows 10.[1][2]

Windows
Malware Enterprise

S0484: Carberp

Carberp is a credential and information stealing malware that has been active since at least 2009. Carberp's source code was leaked online in 2013, and subsequently used as the foundation for the Carbanak backdoor.[1][2][3]

Windows
Malware Enterprise

S0182: FinFisher

FinFisher is a government-grade commercial surveillance spyware reportedly sold exclusively to government agencies for use in targeted and lawful criminal investigations. It is heavily obfuscated and uses multiple anti-analysis techniques. It has other variants including Wingbird. [1] [2] [3] [4] [5]

WindowsAndroid
Malware Enterprise

S0386: Ursnif

Ursnif is a banking trojan and variant of the Gozi malware observed being spread through various automated exploit kits, Spearphishing Attachments, and malicious links.[1][2] Ursnif is associated primarily with data theft, but variants also include components (backdoors, spyware, file injectors, etc.) capable of a wide variety of behaviors.[3]

Windows
Malware Enterprise

S0412: ZxShell

ZxShell is a remote administration tool and backdoor that can be downloaded from the Internet, particularly from Chinese hacker websites. It has been used since at least 2004.[1][2]

Windows
Malware Enterprise

S0251: Zebrocy

Zebrocy is a Trojan that has been used by APT28 since at least November 2015. The malware comes in several programming language variants, including C++, Delphi, AutoIt, C#, VB.NET, and Golang. [1][2][3][4]

Windows
Malware Enterprise

S0416: RDFSNIFFER

RDFSNIFFER is a module loaded by BOOSTWRITE which allows an attacker to monitor and tamper with legitimate connections made via an application designed to provide visibility and system management capabilities to remote IT techs.[1]

Windows
Tool Enterprise

S0363: Empire

Empire is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents are written in pure PowerShell for Windows and Python for Linux/macOS. Empire was one of five tools singled out by a joint report on public hacking tools being widely used by adversaries.[1][2][3]

LinuxmacOSWindows
Malware Enterprise

S0266: TrickBot

TrickBot is a Trojan spyware program written in C++ that first emerged in September 2016 as a possible successor to Dyre. TrickBot was developed and initially used by Wizard Spider for targeting banking sites in North America, Australia, and throughout Europe; it has since been used against all sectors worldwide as part of "big game hunting" ransomware campaigns.[1][2][3][4]

Windows
Malware Enterprise

S0353: NOKKI

NOKKI is a modular remote access tool. The earliest observed attack using NOKKI was in January 2018. NOKKI has significant code overlap with the KONNI malware family. There is some evidence potentially linking NOKKI to APT37.[1][2]

Windows
Relationship explorer

All related ATT&CK context

uses · Malware S0330: Zeus Panda Enterprise uses · Malware S1154: VersaMem Enterprise uses · Malware S0484: Carberp Enterprise uses · Malware S0182: FinFisher Enterprise uses · Malware S0386: Ursnif Enterprise detects · Detection Strategy DET0139: Detection of Credential Harvesting via API Hooking Enterprise uses · Malware S0412: ZxShell Enterprise uses · Group G0068: PLATINUM Enterprise uses · Malware S0251: Zebrocy Enterprise uses · Malware S0416: RDFSNIFFER Enterprise uses · Tool S0363: Empire Enterprise subtechnique of · Technique T1056: Input Capture Enterprise uses · Malware S0266: TrickBot Enterprise uses · Malware S0353: NOKKI Enterprise revoked by · Technique T1179: Hooking Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.2
Created
Modified
Raw hash
87e5f10af33351c3...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.2 Current bundle 87e5f10af333…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017

    Microsoft. (2017, September 15). TrojanSpy:Win32/Ursnif.gen!I. Retrieved December 18, 2017.

    Open source URL
  2. [2]
    Microsoft Hook Overview

    Microsoft. (n.d.). Hooks Overview. Retrieved December 12, 2017.

    Open source URL
  3. [3]
    Elastic Process Injection July 2017

    Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017.

    Open source URL
  4. [4]
    Adlice Software IAT Hooks Oct 2014

    Tigzy. (2014, October 15). Userland Rootkits: Part 1, IAT hooks. Retrieved December 12, 2017.

    Open source URL
  5. [5]
    MWRInfoSecurity Dynamic Hooking 2015

    Hillman, M. (2015, August 8). Dynamic Hooking Techniques: User Mode. Retrieved December 20, 2017.

    Open source URL
  6. [6]
    HighTech Bridge Inline Hooking Sept 2011

    Mariani, B. (2011, September 6). Inline Hooking in Windows. Retrieved November 17, 2024.

    Open source URL
  7. [7]
    Intezer Symbiote 2022

    Joakim Kennedy and The BlackBerry Threat Research & Intelligence Team. (2022, June 9). Symbiote Deep-Dive: Analysis of a New, Nearly-Impossible-to-Detect Linux Threat. Retrieved March 24, 2025.

    Open source URL
  8. [8]
    EyeofRa Detecting Hooking June 2017

    Eye of Ra. (2017, June 27). Windows Keylogger Part 2: Defense against user-land. Retrieved December 12, 2017.

    Open source URL
  9. [9]
    GMER Rootkits

    GMER. (n.d.). GMER. Retrieved December 12, 2017.

    Open source URL
  10. [10]
    Jay GetHooks Sept 2011

    Satiro, J. (2011, September 14). GetHooks. Retrieved December 12, 2017.

    Open source URL
  11. [11]
    Microsoft Process Snapshot

    Microsoft. (n.d.). Taking a Snapshot and Viewing Processes. Retrieved December 12, 2017.

    Open source URL
  12. [12]
    PreKageo Winhook Jul 2011

    Prekas, G. (2011, July 11). Winhook. Retrieved December 12, 2017.

    Open source URL
  13. [13]
    StackExchange Hooks Jul 2012

    Stack Exchange - Security. (2012, July 31). What are the methods to find hooked functions and APIs?. Retrieved December 12, 2017.

    Open source URL
  14. [14]
    Volatility Detecting Hooks Sept 2012

    Volatility Labs. (2012, September 24). MoVP 3.1 Detecting Malware Hooks in the Windows GUI Subsystem. Retrieved December 12, 2017.

    Open source URL
  15. [15]
    Zairon Hooking Dec 2006

    Felici, M. (2006, December 6). Any application-defined hook procedure on my machine?. Retrieved December 12, 2017.

    Open source URL
  16. [16]
    mitre-attack T1056.004
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use