Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.(Citation: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017) Unlike Keylogging, this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
action.malware.variety.Capture app data | Capture data from application or system process | related-to | T1056.004 | Input Capture: Credential API Hooking | |
action.malware.variety.Password dumper | Password dumper (extract credential hashes) | related-to | T1056.004 | Input Capture: Credential API Hooking | |
action.malware.variety.Spyware/Keylogger | Spyware, keylogger or form-grabber (capture user input or activity) | related-to | T1056.004 | Input Capture: Credential API Hooking | |
attribute.confidentiality.data_disclosure | None | related-to | T1056.004 | Input Capture: Credential API Hooking |
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
google_secops | Google Security Operations | technique_scores | T1056.004 | Credential API Hooking |
Comments
Google Security Ops is able to trigger an alert based on adversary methods of obtaining credentials or collecting information (e.g., web skimming attacks).
This technique was scored as minimal based on low or uncertain detection coverage factor.
https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/cloud_security/proxy/the_gocgle_malicious_campaign.yaral
References
|