Hooking

From attackics
Jump to navigation Jump to search
Hooking
Technique
ID T0874
Tactic Persistence
Data Sources File monitoring, Windows registry, API monitoring
Asset Engineering Workstation

Description

Adversaries may hook into application programming interface (API) functions used by processes to redirect calls for persistent means. Windows processes often leverage these API functions to perform tasks that require reusable system resources. Windows API functions are typically stored in dynamic-link libraries (DLLs) as exported functions.1

One type of hooking seen in ICS involves redirecting calls to these functions via import address table (IAT) hooking. IAT hooking uses modifications to a process’s IAT, where pointers to imported API functions are stored.2


Procedure Examples

  • Stuxnet modifies the Import Address Tables DLLs to hook specific APIs that are used to open project files.2

Mitigations

  • Audit - Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. Perform periodic integrity checks of the device to validate the correctness of the firmware, software, programs, and configurations. Integrity checks, which typically include cryptographic hashes or digital signatures, should be compared to those obtained at known valid states, especially after events like device reboots, program downloads, or program restarts.


References

  1. ^  Enterprise ATT&CK. (n.d.). Hooking. Retrieved October 27, 2019.
  1. a b  Nicolas Falliere, Liam O Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier (Version 1.4). Retrieved September 22, 2017.



v · d · e
Adversary Techniques
Initial Access
Execution
Persistence
Evasion
Discovery
Lateral Movement
Collection
Inhibit Response Function
Impair Process Control
Impact


Retrieved from "https://collaborate.mitre.org/attackics/index.php?title=Technique/T0874&oldid=8645"