MaxPatrol SIEM

Detects cyberincidents that undermine cyber resilience of a company

T1056.001: Keylogging

Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when OS Credential Dumping efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured. In order to increase the likelihood of capturing credentials quickly, an adversary may also perform actions such as clearing browser cookies to force users to reauthenticate to systems.

Keylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes. Some methods include:

  • Hooking API callbacks used for processing keystrokes. Unlike Credential API Hooking, this focuses solely on API functions intended for processing keystroke data.
  • Reading raw keystroke data from the hardware buffer.
  • Windows Registry modifications.
  • Custom drivers.
  • Modify System Image may provide adversaries with hooks into the operating system of network devices to read raw keystrokes for login sessions.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

mitre_attck_cred_access: PT-CR-1013: PuntoSwitcher_Diary_Open: Possible use of a Punto Switcher diary as a keylogger

Detection

IDDS0027Data source and componentDriver: Driver LoadDescription

Monitor for unusual kernel driver installation activity

IDDS0009Data source and componentProcess: OS API ExecutionDescription

Monitor for API calls to the SetWindowsHook, GetKeyState, and GetAsyncKeyState. and look for common keylogging API calls. API calls alone are not an indicator of keylogging, but may provide behavioral data that is useful when combined with other information such as new files written to disk and unusual processes.

IDDS0024Data source and componentWindows Registry: Windows Registry Key ModificationDescription

Monitor for changes made to windows registry keys or values for unexpected modifications