T0874 Hooking
Adversaries may hook into application programming interface (API) functions used by processes to redirect calls for execution and privilege escalation means. Windows processes often leverage these API functions to perform tasks that require reusable system resources. Windows API functions are typically stored in dynamic-link libraries (DLLs) as exported functions. 1
One type of hooking seen in ICS involves redirecting calls to these functions via import address table (IAT) hooking. IAT hooking uses modifications to a process IAT, where pointers to imported API functions are stored. 2
| Item | Value |
|---|---|
| ID | T0874 |
| Sub-techniques | |
| Tactics | TA0104, TA0111 |
| Platforms | Engineering Workstation |
| Version | 1.2 |
| Created | 21 May 2020 |
| Last Modified | 13 March 2023 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0603 | Stuxnet | Stuxnet modifies the Import Address Tables DLLs to hook specific APIs that are used to open project files. 2 |
| S1009 | Triton | Triton‘s injector, inject.bin, changes the function pointer of the ‘get main processor diagnostic data’ TriStation command to the address of imain.bin so that it is executed prior to the normal handler. 3 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M0947 | Audit | Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. Perform periodic integrity checks of the device to validate the correctness of the firmware, software, programs, and configurations. Integrity checks, which typically include cryptographic hashes or digital signatures, should be compared to those obtained at known valid states, especially after events like device reboots, program downloads, or program restarts. |
| M0944 | Restrict Library Loading | Restrict the use of untrusted or unknown libraries, such as remote or unknown DLLs. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0009 | Process | OS API Execution |
References
-
Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ↩↩
-
Jos Wetzels 2018, January 16 Analyzing the TRITON industrial malware Retrieved. 2019/10/22 ↩
-
Eye of Ra. (2017, June 27). Windows Keylogger Part 2: Defense against user-land. Retrieved December 12, 2017. ↩
-
Felici, M. (2006, December 6). Any application-defined hook procedure on my machine?. Retrieved December 12, 2017. ↩
-
Microsoft. (n.d.). Hooks Overview. Retrieved December 12, 2017. ↩
-
Prekas, G. (2011, July 11). Winhook. Retrieved December 12, 2017. ↩
-
Satiro, J. (2011, September 14). GetHooks. Retrieved December 12, 2017. ↩
-
Volatility Labs. (2012, September 24). MoVP 3.1 Detecting Malware Hooks in the Windows GUI Subsystem. Retrieved December 12, 2017. ↩