Bypassing Security Hooks
Security hooks are mechanisms implemented by application security products to intercept and monitor sensitive operations within the application runtime environment. In the Deepening Control phase of an attack, adversaries attempt to bypass these security hooks to disable or evade runtime protection services. This sub-technique involves identifying and circumventing function hooks placed in memory, API hooking mechanisms, or callback registrations that security products use to monitor application behavior. Attackers may employ techniques such as direct syscall invocation to bypass user-mode API hooks, memory manipulation to restore original function prologues, or utilizing alternative code paths that avoid hooked functions altogether. By successfully bypassing these security hooks, attackers can execute malicious operations without triggering security alerts, disable monitoring capabilities, and gain deeper control over the application while remaining undetected by runtime protection mechanisms.
Mitigations
| ID |
Mitigation |
Description |
| M1050 |
Exploit Protection |
Harden hooking frameworks with integrity checks (e.g., LD fAUDIT, kernel module signing) so unauthorised patching is blocked or triggers a panic. |
| M1045 |
Code Signing |
Enforce code-integrity on shared libraries and DLLs so unsigned replacements cannot be injected to bypass hooks. |
Detection
| ID |
Data Source |
Detection |
| DS0009 |
Process: OS API Execution |
Detect mprotect(PROT_EXEC) or Windows VirtualProtect calls that change memory protections on security modules followed by write operations. |
| DS0022 |
File: File Modification |
Monitor protected library directories for unexpected timestamp changes or hash mismatches indicating hook DLL replacement. |