MITRE ATT&CK Technique
Description
Windows processes often leverage application programming interface (API) functions to perform tasks that require reusable system resources. Windows API functions are typically stored in dynamic-link libraries (DLLs) as exported functions. Hooking involves redirecting calls to these functions and can be implemented via: * **Hooks procedures**, which intercept and execute designated code in response to events such as messages, keystrokes, and mouse inputs. (Citation: Microsoft Hook Overview) (Citation: Elastic Process Injection July 2017) * **Import address table (IAT) hooking**, which use modifications to a process’s IAT, where pointers to imported API functions are stored. (Citation: Elastic Process Injection July 2017) (Citation: Adlice Software IAT Hooks Oct 2014) (Citation: MWRInfoSecurity Dynamic Hooking 2015) * **Inline hooking**, which overwrites the first bytes in an API function to redirect code flow. (Citation: Elastic Process Injection July 2017) (Citation: HighTech Bridge Inline Hooking Sept 2011) (Citation: MWRInfoSecurity Dynamic Hooking 2015) Similar to [Process Injection](https://attack.mitre.org/techniques/T1055), adversaries may use hooking to load and execute malicious code within the context of another process, masking the execution while also allowing access to the process's memory and possibly elevated privileges. Installing hooking mechanisms may also provide Persistence via continuous invocation when the functions are called through normal use. Malicious hooking mechanisms may also capture API calls that include parameters that reveal user authentication credentials for Credential Access. (Citation: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017) Hooking is commonly utilized by [Rootkit](https://attack.mitre.org/techniques/T1014)s to conceal files, processes, Registry keys, and other objects in order to hide malware and associated behaviors. (Citation: Symantec Windows Rootkits)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2018-01-16T16:13:52.465Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Windows processes often leverage application programming '
'interface (API) functions to perform tasks that require '
'reusable system resources. Windows API functions are '
'typically stored in dynamic-link libraries (DLLs) as exported '
'functions. \n'
'\n'
'Hooking involves redirecting calls to these functions and can '
'be implemented via:\n'
'\n'
'* **Hooks procedures**, which intercept and execute '
'designated code in response to events such as messages, '
'keystrokes, and mouse inputs. (Citation: Microsoft Hook '
'Overview) (Citation: Elastic Process Injection July 2017)\n'
'* **Import address table (IAT) hooking**, which use '
'modifications to a process’s IAT, where pointers to imported '
'API functions are stored. (Citation: Elastic Process '
'Injection July 2017) (Citation: Adlice Software IAT Hooks Oct '
'2014) (Citation: MWRInfoSecurity Dynamic Hooking 2015)\n'
'* **Inline hooking**, which overwrites the first bytes in an '
'API function to redirect code flow. (Citation: Elastic '
'Process Injection July 2017) (Citation: HighTech Bridge '
'Inline Hooking Sept 2011) (Citation: MWRInfoSecurity Dynamic '
'Hooking 2015)\n'
'\n'
'Similar to [Process '
'Injection](https://attack.mitre.org/techniques/T1055), '
'adversaries may use hooking to load and execute malicious '
'code within the context of another process, masking the '
"execution while also allowing access to the process's memory "
'and possibly elevated privileges. Installing hooking '
'mechanisms may also provide Persistence via continuous '
'invocation when the functions are called through normal use.\n'
'\n'
'Malicious hooking mechanisms may also capture API calls that '
'include parameters that reveal user authentication '
'credentials for Credential Access. (Citation: Microsoft '
'TrojanSpy:Win32/Ursnif.gen!I Sept 2017)\n'
'\n'
'Hooking is commonly utilized by '
'[Rootkit](https://attack.mitre.org/techniques/T1014)s to '
'conceal files, processes, Registry keys, and other objects in '
'order to hide malware and associated behaviors. (Citation: '
'Symantec Windows Rootkits)',
'external_references': [{'external_id': 'T1179',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1179'},
{'description': 'Microsoft. (n.d.). Hooks Overview. '
'Retrieved December 12, 2017.',
'source_name': 'Microsoft Hook Overview',
'url': 'https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx'},
{'description': 'Hosseini, A. (2017, July 18). Ten '
'Process Injection Techniques: A '
'Technical Survey Of Common And '
'Trending Process Injection '
'Techniques. Retrieved December 7, '
'2017.',
'source_name': 'Elastic Process Injection July 2017',
'url': 'https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process'},
{'description': 'Tigzy. (2014, October 15). Userland '
'Rootkits: Part 1, IAT hooks. '
'Retrieved December 12, 2017.',
'source_name': 'Adlice Software IAT Hooks Oct 2014',
'url': 'https://www.adlice.com/userland-rootkits-part-1-iat-hooks/'},
{'description': 'Hillman, M. (2015, August 8). '
'Dynamic Hooking Techniques: User '
'Mode. Retrieved December 20, 2017.',
'source_name': 'MWRInfoSecurity Dynamic Hooking 2015',
'url': 'https://www.mwrinfosecurity.com/our-thinking/dynamic-hooking-techniques-user-mode/'},
{'description': 'Mariani, B. (2011, September 6). '
'Inline Hooking in Windows. Retrieved '
'December 12, 2017.',
'source_name': 'HighTech Bridge Inline Hooking Sept '
'2011',
'url': 'https://www.exploit-db.com/docs/17802.pdf'},
{'description': 'Microsoft. (2017, September 15). '
'TrojanSpy:Win32/Ursnif.gen!I. '
'Retrieved December 18, 2017.',
'source_name': 'Microsoft '
'TrojanSpy:Win32/Ursnif.gen!I Sept '
'2017',
'url': 'https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif.gen!I&threatId=-2147336918'},
{'description': 'Symantec. (n.d.). Windows Rootkit '
'Overview. Retrieved December 21, '
'2017.',
'source_name': 'Symantec Windows Rootkits',
'url': 'https://www.symantec.com/avcenter/reference/windows.rootkit.overview.pdf'},
{'description': 'Volatility Labs. (2012, September '
'24). MoVP 3.1 Detecting Malware '
'Hooks in the Windows GUI Subsystem. '
'Retrieved December 12, 2017.',
'source_name': 'Volatility Detecting Hooks Sept 2012',
'url': 'https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html'},
{'description': 'Prekas, G. (2011, July 11). Winhook. '
'Retrieved December 12, 2017.',
'source_name': 'PreKageo Winhook Jul 2011',
'url': 'https://github.com/prekageo/winhook'},
{'description': 'Satiro, J. (2011, September 14). '
'GetHooks. Retrieved December 12, '
'2017.',
'source_name': 'Jay GetHooks Sept 2011',
'url': 'https://github.com/jay/gethooks'},
{'description': 'Felici, M. (2006, December 6). Any '
'application-defined hook procedure '
'on my machine?. Retrieved December '
'12, 2017.',
'source_name': 'Zairon Hooking Dec 2006',
'url': 'https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/'},
{'description': 'Eye of Ra. (2017, June 27). Windows '
'Keylogger Part 2: Defense against '
'user-land. Retrieved December 12, '
'2017.',
'source_name': 'EyeofRa Detecting Hooking June 2017',
'url': 'https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/'},
{'description': 'GMER. (n.d.). GMER. Retrieved '
'December 12, 2017.',
'source_name': 'GMER Rootkits',
'url': 'http://www.gmer.net/'},
{'description': 'Microsoft. (n.d.). Taking a Snapshot '
'and Viewing Processes. Retrieved '
'December 12, 2017.',
'source_name': 'Microsoft Process Snapshot',
'url': 'https://msdn.microsoft.com/library/windows/desktop/ms686701.aspx'},
{'description': 'Stack Exchange - Security. (2012, '
'July 31). What are the methods to '
'find hooked functions and APIs?. '
'Retrieved December 12, 2017.',
'source_name': 'StackExchange Hooks Jul 2012',
'url': 'https://security.stackexchange.com/questions/17904/what-are-the-methods-to-find-hooked-functions-and-apis'}],
'id': 'attack-pattern--66f73398-8394-4711-85e5-34c8540b22a5',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'persistence'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'privilege-escalation'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'credential-access'}],
'modified': '2025-10-24T17:48:52.925Z',
'name': 'Hooking',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': True,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows'],
'x_mitre_version': '1.1'}