1. Home
  2. Detection Strategies
  3. Detection Strategy for MFA Interception via Input Capture and Smart Card Proxying

Detection Strategy for MFA Interception via Input Capture and Smart Card Proxying

Technique Detected:  Multi-Factor Authentication Interception | T1111

ID: DET0246
Domains: Enterprise
Analytics: AN0687, AN0688, AN0689
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN0687

Behavior chain involving unexpected API calls to capture keyboard input, driver loads for keyloggers, or remote use of smart card authentication via logon sessions not initiated by local user interaction

Log Sources
Data Component Name Channel
Process Access (DC0035) WinEventLog:Sysmon EventCode=10, 7
Logon Session Creation (DC0067) WinEventLog:Security EventCode=4624 with LogonType=9 or smartcard logon
Windows Registry Key Modification (DC0063) WinEventLog:Sysmon EventCode=13
Mutable Elements
Field Description
AccessMask Tunable based on what memory-level access the keylogger uses (e.g., 0x10 for read)
ProcessNameExclusions Legitimate accessibility tools may use similar API calls (e.g., Magnifier.exe)
TimeWindow Define how quickly access + registry mod + smart card use must co-occur

AN0688

Detection of unauthorized keylogger behavior through access to /dev/input, loading kernel modules (e.g., via insmod), or polling user input devices from non-user shells

Log Sources
Data Component Name Channel
Process Access (DC0035) linux:syslog syscalls (open, read, ioctl) on /dev/input or /proc/*/fd/*
Driver Load (DC0079) linux:syslog dmesg or syslog for module loads
Mutable Elements
Field Description
PathTarget Can tune based on device paths accessed for keyboard input (e.g., /dev/input/event0)
UserContext Exclude root or admin-auth shell sessions if needed
ModuleWhitelist Set a known list of allowed kernel modules

AN0689

Processes accessing TCC-protected input APIs or polling HID services without user interaction, or dynamically loaded keylogging frameworks using accessibility privileges

Log Sources
Data Component Name Channel
OS API Execution (DC0021) macos:unifiedlog com.apple.securityd, com.apple.tccd
Process Creation (DC0032) macos:osquery query: process_events, launchd, and tcc.db access
Mutable Elements
Field Description
AccessibilityAPIUsage Detection of programs requesting access to input monitoring (e.g., CGEventTap)
TCCBypassAttempt Alert if TCC settings are altered or bypassed
SignedBinaryCheck Tunable based on developer signing status (legitimate software vs unsigned)