1. Home
  2. Techniques
  3. Enterprise
  4. Input Capture

Input Capture

ID Name
T1056.001 Keylogging
T1056.002 GUI Input Capture
T1056.003 Web Portal Capture
T1056.004 Credential API Hooking

Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture).

ID: T1056
Sub-techniques:  T1056.001, T1056.002, T1056.003, T1056.004
Platforms: Linux, Network, Windows, macOS
Contributors: John Lambert, Microsoft Threat Intelligence Center
Version: 1.3
Created: 31 May 2017
Last Modified: 13 August 2024
Version Permalink

Procedure Examples

ID Name Description
G0087 APT39

APT39 has utilized tools to capture mouse movements.[1]
S0631 Chaes

Chaes has a module to perform any API hooking it desires.[2]

S0381 FlawedAmmyy

FlawedAmmyy can collect mouse events.[3]
S0641 Kobalos

Kobalos has used a compromised SSH client to capture the hostname, port, username and password used to establish an SSH connection from the compromised host.[4][5]

S1060 Mafalda

Mafalda can conduct mouse event logging.[6]
S1059 metaMain

metaMain can log mouse events.[6]
S1131 NPPSPY

NPPSPY captures user input into the Winlogon process by redirecting RPC traffic from legitimate listening DLLs within the operating system to a newly registered malicious item that allows for recording logon information in cleartext.[7]
C0039 Versa Director Zero Day Exploitation

Versa Director Zero Day Exploitation intercepted and harvested credentials from user logins to compromised devices.[8]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

ID Data Source Data Component Detects
DS0027 Driver Driver Load

Monitor for unusual kernel driver installation activity.

Analytic 1 - Unexpected kernel driver installations.

index=security sourcetype="WinEventLog:System" EventCode=7045 | where match(Service_Name, "(?i)(keylogger|input|capture|sniff|monitor|keyboard|logger|driver)")
DS0022 File File Modification

Monitor for changes made to files for unexpected modifications to access permissions and attributes.

Analytic 1 - Unexpected file modifications.

index=security sourcetype="WinEventLog:Security" EventCode=4663 | where Object_Type="File" AND Access_Mask IN ("0x2", "0x4", "0x20", "0x80", "0x100")

DS0009 Process OS API Execution

Monitor for API calls to SetWindowsHook, GetKeyState, and GetAsyncKeyState [9]
Process Creation

Monitor for newly executed processes conducting malicious activity

Process Metadata

Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow.
DS0024 Windows Registry Windows Registry Key Modification

Monitor for changes made to windows registry keys or values for unexpected modifications

References

  1. FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020.
  2. Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021.
  3. Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022.
  4. M.Leveille, M., Sanmillan, I. (2021, February 2). Kobalos – A complex Linux threat to high performance computing infrastructure. Retrieved August 24, 2021.
  5. M.Leveille, M., Sanmillan, I. (2021, January). A WILD KOBALOS APPEARS Tricksy Linux malware goes after HPCs. Retrieved August 24, 2021.
  1. SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023.
  2. Dray Agha. (2022, August 16). Cleartext Shenanigans: Gifting User Passwords to Adversaries With NPPSPY. Retrieved May 17, 2024.
  3. Black Lotus Labs. (2024, August 27). Taking The Crossroads: The Versa Director Zero-Day Exploitaiton. Retrieved August 27, 2024.
  4. Tinaztepe, E. (n.d.). The Adventures of a Keystroke: An in-depth look into keyloggers on Windows. Retrieved April 27, 2016.