Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.(Citation: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017) Unlike Keylogging, this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
---|---|---|---|---|
action.malware.variety.Capture app data | Capture data from application or system process | related-to | T1056.004 | Input Capture: Credential API Hooking |
action.malware.variety.Password dumper | Password dumper (extract credential hashes) | related-to | T1056.004 | Input Capture: Credential API Hooking |
action.malware.variety.Spyware/Keylogger | Spyware, keylogger or form-grabber (capture user input or activity) | related-to | T1056.004 | Input Capture: Credential API Hooking |
attribute.confidentiality.data_disclosure | related-to | T1056.004 | Input Capture: Credential API Hooking |