Detects credential harvesting via userland API hooking (e.g., SetWindowsHookEx, IAT, or inline patching) by correlating memory modifications with hook installation functions and suspicious module loads in credential-sensitive processes like lsass.exe, explorer.exe, or winlogon.exe.
| Data Component | Name | Channel |
|---|---|---|
| Process Access (DC0035) | WinEventLog:Sysmon | EventCode=10 |
| Module Load (DC0016) | WinEventLog:Sysmon | EventCode=7 |
| Process Modification (DC0020) | WinEventLog:Sysmon | EventCode=8 |
| Field | Description |
|---|---|
| TargetProcess | Credential-sensitive targets (e.g., explorer.exe, winlogon.exe) may vary by environment |
| AccessMask | Tuning for access rights like 0x1FFFFF for full access vs. thread injection |
| TimeWindow | Correlate memory access and hook setup in short windows (5–10 seconds) |
Detects credential interception via malicious LD_PRELOAD-based shared libraries loaded into ssh, sudo, or scp processes. Correlates environment variable injection, unexpected library loads, and memory patching behavior.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve |
| Module Load (DC0016) | auditd:SYSCALL | LD_PRELOAD Logging |
| Field | Description |
|---|---|
| InjectedLibraryName | Watch for user-defined suspicious .so files (e.g., libhook.so, libshadow.so) |
| TargetProcessName | Hooked binaries vary by use case (e.g., ssh, login, gdm) |
Detects DYLD_INSERT_LIBRARIES abuse to hook credential-sensitive applications by correlating process spawns with unauthorized library injection and monitoring changes to the __TEXT segment (code) of credential handling binaries.
| Data Component | Name | Channel |
|---|---|---|
| Module Load (DC0016) | macos:unifiedlog | DYLD event subsystem |
| File Access (DC0055) | fs:fsusage | File Access Monitor |
| Process Modification (DC0020) | macos:osquery | Memory Mappings |
| Field | Description |
|---|---|
| DYLDInjectedPath | Tunable based on naming patterns or location of malicious dylibs |
| ParentProcessName | Hooking attempts may stem from terminal.app, bash, or AppleScript-based launchers |