1. Home
  2. Detection Strategies
  3. Behavioral Detection of Input Capture Across Platforms

Behavioral Detection of Input Capture Across Platforms

Technique Detected:  Input Capture | T1056

ID: DET0102
Domains: Enterprise
Analytics: AN0282, AN0283, AN0284, AN0285
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN0282

Monitors for abnormal process behavior and API calls like SetWindowsHookEx, GetAsyncKeyState, or device input polling commonly used for keystroke logging.

Log Sources
Data Component Name Channel
Process Access (DC0035) WinEventLog:Sysmon EventCode=10
File Access (DC0055) WinEventLog:Security EventCode=4656
Mutable Elements
Field Description
TargetImage Can be scoped to sensitive GUI processes like explorer.exe or winlogon.exe
TimeWindow Time threshold for detecting multiple suspicious accesses

AN0283

Detects use of tools/scripts accessing input devices like /dev/input/* or evdev via suspicious processes lacking GUI context.

Log Sources
Data Component Name Channel
File Access (DC0055) auditd:SYSCALL open, read
File Modification (DC0061) auditd:SYSCALL write
OS API Execution (DC0021) auditd:SYSCALL ptrace, ioctl
Mutable Elements
Field Description
ProcessName Unusual process accessing device files
DevicePath Typically /dev/input/*, but tunable to exact endpoint config

AN0284

Monitors for TCC-bypassing or unauthorized access to input services like IOHIDSystem or Quartz Event Services used in keylogging or screen monitoring.

Log Sources
Data Component Name Channel
Process Metadata (DC0034) macos:unifiedlog subsystem=com.apple.TCC
Process Creation (DC0032) macos:osquery launchd or process_events
Mutable Elements
Field Description
Service com.apple.accessibility, com.apple.quartz, etc. depending on the API path used
ParentProcess Unusual parent/child pairings can indicate malicious injection

AN0285

Detects web-based credential phishing by analyzing traffic to suspicious URLs that mimic login portals and POST credential content.

Log Sources
Data Component Name Channel
Network Traffic Content (DC0085) NSM:Flow http.log
Network Connection Creation (DC0082) NSM:Firewall proxy or TLS inspection logs
Mutable Elements
Field Description
UserAgent Mismatched browser identifiers used by phishing kits
URL_Path Paths resembling known login forms but hosted on unknown domains