Deceive, Detect, Engage

Deceptive API Call Hooking with Modified Return Values

Intercept specific API calls made by applications and return modified or fabricated data to mislead attackers or disrupt their tools. This can be used to conceal sensitive information, trigger errors in attacker utilities, or gather intelligence on their techniques.

Engage Goals: EGO0003 Elicit

Engage Approach: EAP0001 Collect

Engage Actions: EAC0014 Software Manipulation, EAC0015 Information Manipulation

Name of Element: Deceptive API Call Hooking with Modified Return Values

Description of Element:

Technical Context:

Placement: Implemented as a kernel-mode driver or a user-mode library that intercepts API calls.

Utilize a hooking library like Detours or Frida to intercept API calls. Implement custom logic to analyze the call parameters and return modified data or trigger specific actions based on predefined rules.

Other:

Att&ck/Engage Mapping: T1056 Input Capture, E1501 Honeytrap

Deceptive API Call Hooking with Modified Return Values

Leave a Reply Cancel reply

ORION Detlab: Forging Resilient Detections in the HEFAISTOS Ecosystem

The Maieutic Engine: Birth of a New Detection Engineering Paradigm

The Forge, The Guide, and The Hunter: Unifying Detection Engineering with the Mythological Triad of HEFAISTOS, KEDALION, and ORION

Dendrite: Bridging the Synaptic Gap Between External Intelligence and Internal Defense