Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.(Citation: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017) Unlike Keylogging, this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| intel-ptt | Intel Platform Trust Technology | Win 11, ESS/Hello | T1056.004 | Credential API Hooking |
Comments
Windows Hello ESS authentication leverages virtual sandbox(Intel VT-X) to protect authentication data to significantly reduce the risk of brute force attacks on passwords, as biometrics typically require physical presence or biometric data that cannot be easily guessed or replicated. It uses the TPM (Intel PTT) to store authentication data including public/private key pairs. Windows Hello also includes Passkeys, a passwordless authentication option that generates public/private key pair with the public key shared with the service requiring authentication and the private key stored in the TPM, which is only released after authentication locally on the device using either a biometric factor such as fingerprint, facial recognition, or a PIN. Windows Hello helps protect against the risk of credentials being stored in files by eliminating the need for passwords in many authentication scenarios.
Enhanced Sign-In Security (ESS) will prevent credential API hooking by virtue of it running in Virtual Trust Level 1 (VTL1) isolated environment.
Windows Hello helps protect against the risk of credentials being stored in files by eliminating the need for passwords.
References
|