Credential_Access/Hooking

Windows/Credential_Access/Hooking.md

@@ -0,0 +1,12 @@
+## Hooking
+
+MITRE ATT&CK Technique: [T1179](https://attack.mitre.org/wiki/Technique/T1179)
+
+### Sample Windows DLL Injection into PowerShell
+
+     mavinject $pid /INJECTRUNNING C:\Atomic\AtomicSSLHook.dll
+  
+## Test Script
+
+[AtomicSSLHook.dll](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/AtomicSSLHook.dll)
+

Windows/README.md

@@ -9,23 +9,23 @@
 | Spearphishing Attachment 	| 	Execution through API	| [Authentication Package](Persistence/Authentication_Package.md)	| Application Shimming	| CMSTP	| Credentials in Registry	| Network Service Scanning	| [Pass the Hash](Lateral_Movement/Pass_the_Hash.md)	| Data from Information Repositories	| Exfiltration Over Alternative Protocol	| Custom Cryptographic Protocol |
 | Spearphishing Link	| Execution through Module Load	| [BITS Jobs](Execution/Bitsadmin.md)	| [Bypass User Account Control](Privilege_Escalation/Bypass_User_Account_Control.md)	| Code Signing	| Exploitation for Credential Access	| Network Share Discovery	| Pass the Ticket	| Data from Local System	| Exfiltration Over Command and Control Channel	|Data Encoding |		 |
 | Spearphishing via Service	| Exploitation for Client Execution	| Bootkit	|DLL Search Order Hijacking	| Component Firmware	| Forced Authentication	| Password Policy Discovery	| [Remote Desktop Protocol](Lateral_Movement/Remote_Desktop_Protocol.md)	| Data from Network Shared Drive	| Exfiltration Over Other Network Medium	| Data Obfuscation |
-| Supply Chain Compromise	| Graphical User Interface	| [Browser Extensions](Persistence/Browser_Extensions.md)	| Exploitation for Privilege Escalation	| [Component Object Model Hijacking](Persistence/Component_Object_Model_Hijacking.md)	| Hooking	| Peripheral Device Discovery	| Remote File Copy	| Data from Removable Media	| Exfiltration Over Physical Medium	| Domain Fronting |
+| Supply Chain Compromise	| Graphical User Interface	| [Browser Extensions](Persistence/Browser_Extensions.md)	| Exploitation for Privilege Escalation	| [Component Object Model Hijacking](Persistence/Component_Object_Model_Hijacking.md)	| [Hooking](Credential_Access/Hooking.md)	| Peripheral Device Discovery	| Remote File Copy	| Data from Removable Media	| Exfiltration Over Physical Medium	| Domain Fronting |
 |Trusted Relationship	| [InstallUtil](Execution/InstallUtil.md) 	| [Change Default File Association](Persistence/Change_Default_File_Association.md) 	| Extra Window Memory Injection	| Control Panel Items	| [Input Capture](Collection/Input_Capture.md)	| Permission Groups Discovery	| Remote Services	| Email Collection	| Scheduled Transfer	| Fallback Channels |
 | Valid Accounts	| LSASS Driver	| Component Firmware	| File System Permissions Weakness	| DCShadow	| Kerberoasting	| Process Discovery	| Replication Through Removable Media	| [Input Capture](Collection/Input_Capture.md) |     |  Multi-Stage Channels |
-|      | [Mshta](Execution/Mshta.md) 	| [Component Object Model Hijacking](Persistence/Component_Object_Model_Hijacking.md)	| Hooking	| DLL Search Order Hijacking	| LLMNR/NBT-NS Poisoning	| [Query Registry](Discovery/Query_Registry.md)	| Shared Webroot	| Man in the Browser	|      		| Multi-hop Proxy	|     
+|      | [Mshta](Execution/Mshta.md) 	| [Component Object Model Hijacking](Persistence/Component_Object_Model_Hijacking.md)	| [Hooking](Credential_Access/Hooking.md)	| DLL Search Order Hijacking	| LLMNR/NBT-NS Poisoning	| [Query Registry](Discovery/Query_Registry.md)	| Shared Webroot	| Man in the Browser	|      		| Multi-hop Proxy	|     
 |      |[PowerShell](Execution/PowerShell.md)	| [Create Account](Credential_Access/Create_Account.md)	| Image File Execution Options Injection	| DLL Side-Loading	| Network Sniffing	| [Remote System Discovery](Discovery/Remote_System_Discovery.md) 	| Taint Shared Content	| Screen Capture		|      | Multiband Communication	|  
 |      |[Regsvcs/Regasm](Execution/RegsvcsRegasm.md) 	| DLL Search Order Hijacking	| [New Service](Persistence/New_Service.md)	| [Deobfuscate/Decode Files or Information](Defense_Evasion/Deobfuscate_Decode_Files_Or_Information.md)	| Password Filter DLL	| [Security Software Discovery](Discovery/Security_Software_Discovery.md) 	| Third-party Software	| Video Capture		|      | Multilayer Encryption	|  
 |      |[Regsvr32](Execution/Regsvr32.md)	| External Remote Services	| Path Interception	| [Disabling Security Tools](Defense_Evasion/Disabling_Security_Tools.md)	| [Private Keys](Credential_Access/Private_Keys.md) 	| [System Information Discovery](Discovery/System_Information_Discovery.md)	| [Windows Admin Shares](Lateral_Movement/Windows_Admin_Shares.md)			| 			| 			| Remote Access Tools		|
 |      |[Rundll32](Execution/rundll32.md) 	| File System Permissions Weakness	| Port Monitors	| Exploitation for Defense Evasion	| Replication Through Removable Media	| [System Network Configuration Discovery](Discovery/System_Network_Configuration_Discovery.md)	| [Windows Remote Management](Lateral_Movement/Windows_Remote_Management.md)			| 			| 			| Remote File Copy			| 			|
 |      |[Scheduled Task](Persistence/Scheduled_Task.md) 	| [Hidden Files and Directories](Defense_Evasion/Hidden_Files_and_Directories.md)	| [Process Injection](Privilege_Escalation/Process_Injection.md) 	| Extra Window Memory Injection	| Two-Factor Authentication Interception	| System Network Connections Discovery				| 			| 			| 			| Standard Application Layer Protocol		| 		
-|      | Scripting	| Hooking	| SID-History Injection	| [File Deletion](Defense_Evasion/File_Deletion.md) 		| 			| [System Owner/User Discovery](Discovery/System_Owner-User_Discovery.md) 				| 			| 			| 			| Standard Cryptographic Protocol|
+|      | Scripting	| [Hooking](Credential_Access/Hooking.md)	| SID-History Injection	| [File Deletion](Defense_Evasion/File_Deletion.md) 		| 			| [System Owner/User Discovery](Discovery/System_Owner-User_Discovery.md) 				| 			| 			| 			| Standard Cryptographic Protocol|
 |      |Service Execution	| Hypervisor	| [Scheduled Task](Persistence/Scheduled_Task.md) 	| File System Logical Offsets		| 			| [System Service Discovery](Discovery/System_Service_Discovery.md)				| 			| 			| 			| Standard Non-Application Layer Protocol|			
 |      |Signed Binary Proxy Execution	| Image File Execution Options Injection	| Service Registry Permissions Weakness	| [Hidden Files and Directories](Defense_Evasion/Hidden_Files_and_Directories.md)		| 			|  [System Time Discovery](Discovery/System_Time_Discovery.md)				|			| 			| 			|  Uncommonly Used Port|
 |      				| Signed Script Proxy Execution	| LSASS Driver	| Valid Accounts	| Image File Execution Options Injection						| 			| 			| 			| 			| 			| Web Service		|
 |		| Third-party Software	| [Logon Scripts](Persistence/Logon_Scripts.md)	| Web Shell	| Indicator Blocking								| 				| 		| 		| 			| 			| 			|
 | 		| [Trusted Developer Utilities](Execution/Trusted_Developer_Utilities.md) 	| Modify Existing Service		|	|  Indicator Removal from Tools		|				 | 		|		|		 | 		|		 |
 |		| User Execution	| [Netsh Helper DLL](Persistence/Netsh_Helper_DLL.md)		|		 | [Indicator Removal on Host](Defense_Evasion/Indicator_Removal_on_Host.md) 						| 		 		| 		|		 |		 | 		|		 |
-|		|   [Windows Management Instrumentation](Execution/Windows_Management_Instrumentation.md)	| [New Service](Persistence/New_Service.md)		| 		|Indirect Command Execution			|				 | 		|		 |		 |		 | 		|	
+|		|   [Windows Management Instrumentation](Execution/Windows_Management_Instrumentation.md)	| [New Service](Persistence/New_Service.md)		| 		|Indirect Command Execution			|				 | 		|		 |		 |		 | 		|
 | 		| [Windows Remote Management](Lateral_Movement/Windows_Remote_Management.md)	| [Office Application Startup](Persistence/Office_Application_Startup.md) 		|  		|Install Root Certificate		| 				|		|		 | 		|		 |		 |
 |		 | 		| Path Interception		|  		|[InstallUtil](Execution/InstallUtil.md) 													| 				|		|		 | 		|		 |		 |
 |		 | 		| Port Monitors		|  		|Masquerading								 						| 				|		 |		 | 		|		 |		 |