Hooking

00:00

hello and welcome to another application of the minor attack framework discussion today. We're going to be looking at cooking show.

00:09

The objectives of today's discussion are as followed. So we're going to describe what hooking is, how it has been used water, some mitigation techniques and some detection techniques as well. So let's jump right in. So when we talk about hooking within the minor attack framework,

00:27

the act of leveraging application programming interface functions to perform tasks that require reusable system resource is so hooking involves redirecting calls via hook procedures,

00:40

import address, table hooking, in line hooking as well s Oh, this is like process injection threat. Actors can use hooking to load and execute malicious code as though it were another process. So some use cases and some ways that this is eyes done.

00:58

So we've got classic deal l injection via create remote threat and load library. And so this malware writes the path of its malicious dll in the virtual address space of another process.

01:12

We've also got portable, execute herbal injection. P e injection doesn't pass the address of the loan library so it makes a copy of malicious code into an existing open process and causes it to execute than we've got. Thread execution, hijacking, which is like process hollowing, where the threat execution hijacking

01:32

targets

01:33

an existing thread of a process and avoids any noisy process or threat creation operations. And so, depending on the types of tools that we have in place and what we're doing in the environment, we may be able t detect this or it may go unnoticed. Now some mitigation techniques that we can use here.

01:53

Prevention techniques are difficult to achieve, so some methods may include the use of malicious patch detection

02:00

or when there's any hollowing of processes or changes to those any calls that could be used for hooking.

02:07

Then we may be able to detect them. But if a threat after is trying to move in a sneaky way, it may be difficult to pick these up now. Some detection techniques include

02:20

monitoring for calls to the set, Windows, Hook X and set when event hook functions and then implement software specific for root kit detection. Any alerts

02:30

should be reviewed as a part of your process. Is there?

02:36

Now let's do a quick check on learning. True or false hooking is relatively easy to prevent and detect,

02:46

so if you need some additional time, please go ahead and pause the video. But hooking is not relatively easy to detect or prevent in these cases, and so this would be a false statement now,

03:00

in summary of today's discussion, Hooking is essentially when we inject information into a legitimate process or take that process over. We described how it's been used in those three areas mitigation techniques as well as detection techniques.