Threat actors may hook into application programming interface (API) functions used by processes to redirect calls for execution and privilege escalation means. Windows processes often leverage these API functions to perform tasks that require reusable system resources. Windows API functions are typically stored in dynamic-link libraries (DLLs) as exported functions. The attacker intercepts function calls between software components to modify the behavior, inspect data, or redirect execution flow.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.