Hooking (T1179)

View on ATT&CK

In Playbook

Technique & Subtechniques

  • Hooking

Associated Tactics

  • Persistence
  • Privilege Escalation
  • Credential Access

Persistence (TA0003)

The adversary is trying to maintain their foothold. Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that let them maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code.

View on ATT&CK

Procedure Examples

Description Source(s)
Microsoft. (n.d.). Hooks Overview. Retrieved December 12, 2017. Microsoft Hook Overview
Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017. Elastic Process Injection July 2017
Tigzy. (2014, October 15). Userland Rootkits: Part 1, IAT hooks. Retrieved December 12, 2017. Adlice Software IAT Hooks Oct 2014
Hillman, M. (2015, August 8). Dynamic Hooking Techniques: User Mode. Retrieved December 20, 2017. MWRInfoSecurity Dynamic Hooking 2015
Mariani, B. (2011, September 6). Inline Hooking in Windows. Retrieved December 12, 2017. HighTech Bridge Inline Hooking Sept 2011
Microsoft. (2017, September 15). TrojanSpy:Win32/Ursnif.gen!I. Retrieved December 18, 2017. Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017
Symantec. (n.d.). Windows Rootkit Overview. Retrieved December 21, 2017. Symantec Windows Rootkits
Volatility Labs. (2012, September 24). MoVP 3.1 Detecting Malware Hooks in the Windows GUI Subsystem. Retrieved December 12, 2017. Volatility Detecting Hooks Sept 2012
Prekas, G. (2011, July 11). Winhook. Retrieved December 12, 2017. PreKageo Winhook Jul 2011
Satiro, J. (2011, September 14). GetHooks. Retrieved December 12, 2017. Jay GetHooks Sept 2011
Felici, M. (2006, December 6). Any application-defined hook procedure on my machine?. Retrieved December 12, 2017. Zairon Hooking Dec 2006
Eye of Ra. (2017, June 27). Windows Keylogger Part 2: Defense against user-land. Retrieved December 12, 2017. EyeofRa Detecting Hooking June 2017
GMER. (n.d.). GMER. Retrieved December 12, 2017. GMER Rootkits
Microsoft. (n.d.). Taking a Snapshot and Viewing Processes. Retrieved December 12, 2017. Microsoft Process Snapshot
Stack Exchange - Security. (2012, July 31). What are the methods to find hooked functions and APIs?. Retrieved December 12, 2017. StackExchange Hooks Jul 2012