ATT&CK coverage › Technique

Input Capture: Credential API Hooking `T1056.004`

Adversaries may hook into Windows application programming interface (API) functions and Linux system functions to collect user credentials. Malicious hooking mechanisms may capture API or function calls that include parameters that reveal user authentication credentials. Unlike Keylogging, this technique focuses specifically on API functions that include parameters that reveal user credentials.

Events covered

1 catalog event are tagged with this technique by at least one rule.

Provider	Event ID	Title
Security-Auditing	4688	A new process has been created.

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Kusto Query Language 1 rule

Powershell Empire Cmdlets Executed in Command Line 1 event, 0 indicators, 0 exclusions

Input Capture: Credential API Hooking T1056.004

Events covered

Rules under this technique

Kusto Query Language 1 rule

Input Capture: Credential API Hooking `T1056.004`