From attackics
Jump to navigation Jump to search
ID T874
Tactic Persistence
Data Sources File monitoring, Windows registry, API monitoring
Asset Engineering Workstation


Adversaries may hook into application programming interface (API) functions used by processes to redirect calls for persistent means. Windows processes often leverage these API functions to perform tasks that require reusable system resources. Windows API functions are typically stored in dynamic-link libraries (DLLs) as exported functions.1

One type of hooking seen in ICS involves redirecting calls to these functions via import address table (IAT) hooking. IAT hooking uses modifications to a process’s IAT, where pointers to imported API functions are stored.2

Procedure Examples

  • Stuxnet modifies the Import Address Tables DLLs to hook specific APIs that are used to open project files.2