Input Capture

Adversaries can use methods of capturing user input for obtaining credentials for Valid Accounts and information Collection that include keylogging and user input field interception.

Keylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes, [1] but other methods exist to target information for specific purposes, such as performing a UAC prompt or wrapping the Windows default credential provider. [2]

Keylogging is likely to be used to acquire credentials for new access opportunities when Credential Dumping efforts are not effective, and may require an adversary to remain passive on a system for a period of time before an opportunity arises.

Adversaries may also install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. This variation on input capture may be conducted post-compromise using legitimate administrative access as a backup measure to maintain network access through External Remote Services and Valid Accounts or as part of the initial compromise by exploitation of the externally facing web service. [3]

ID: T1056

Tactic: Collection, Credential Access

Platform:  Linux, macOS, Windows

Permissions Required:  Administrator, SYSTEM

Data Sources:  Windows Registry, Kernel drivers, Process monitoring, API monitoring

CAPEC ID:  CAPEC-569

Contributors:  John Lambert, Microsoft Threat Intelligence Center

Version: 1.0

Examples

NameDescription
ADVSTORESHELL

ADVSTORESHELL can perform keylogging.[4][5]

Agent Tesla

Agent Tesla can log keystrokes on the victim’s machine.[6][7][8]

APT28

APT28 has used tools to perform keylogging.[9][10]

APT3

APT3 has used a keylogging tool that records keystrokes in encrypted files.[11]

APT38

APT38 used a Trojan called KEYLIME to capture keystrokes from the victim’s machine.[12]

Astaroth

Astaroth logs keystrokes from the victim's machine.[13]

BADNEWS

When it first starts, BADNEWS spawns a new thread to log keystrokes.[14][15][16]

BadPatch

BadPatch has a keylogging capability.[17]

Bandook

Bandook contains keylogging capabilities[18]

BISCUIT

BISCUIT can capture keystrokes.[19]

BlackEnergy

BlackEnergy has run a keylogger plug-in on a victim.[20]

Carbanak

Carbanak logs key strokes for configured processes and sends them back to the C2 server.[21][22]

Cardinal RAT

Cardinal RAT can log keystrokes.[23]

Catchamas

Catchamas collects keystrokes from the victim’s machine.[24]

CHOPSTICK

CHOPSTICK is capable of performing keylogging.[25][4][10]

Cobalt Strike

Cobalt Strike can track key presses with a keylogger module.[26]

Cobian RAT

Cobian RAT has a feature to perform keylogging on the victim’s machine.[27]

CosmicDuke

CosmicDuke uses a keylogger and steals clipboard contents from victims.[28]

DarkComet

DarkComet has a keylogging capability.[29]

Darkhotel

Darkhotel has used a keylogger.[30]

Daserf

Daserf can log keystrokes.[31][32]

Derusbi

Derusbi is capable of logging keystrokes.[33]

DOGCALL

DOGCALL is capable of logging keystrokes.[34][35]

Duqu

Duqu can track key presses with a keylogger module.[36]

DustySky

DustySky contains a keylogger.[37]

Empire

Empire includes keylogging capabilities for Windows, Linux, and macOS systems.[38]

EvilGrab

EvilGrab has the capability to capture keystrokes.[39]

FakeM

FakeM contains a keylogger module.[40]

FIN4

FIN4 has captured credentials via fake Outlook Web App (OWA) login pages and has also used a .NET based keylogger.[41][42]

gh0st RAT

gh0st RAT has a keylogger.[43]

GreyEnergy

GreyEnergy has a module to harvest pressed keystrokes.[44]

Group5

Malware used by Group5 is capable of capturing keystrokes.[45]

Helminth

The executable version of Helminth has a module to log keystrokes.[46]

HTTPBrowser

HTTPBrowser is capable of capturing keystrokes on victims.[47]

JPIN

JPIN contains a custom keylogger.[48]

jRAT

jRAT has the capability to log keystrokes from the victim’s machine, both offline and online.[49][50]

Kasidet

Kasidet has the ability to initiate keylogging.[51]

Ke3chang

Ke3chang has used keyloggers.[52]

KONNI

KONNI has the capability to perform keylogging.[53]

Lazarus Group

Lazarus Group malware KiloAlfa contains keylogging functionality.[54][55]

MacSpy

MacSpy captures keystrokes.[56]

Magic Hound

Magic Hound malware is capable of keylogging.[57]

Matroyshka

Matroyshka is capable of keylogging.[58][59]

menuPass

menuPass has used key loggers to steal usernames and passwords.[60]

Micropsia

Micropsia has keylogging capabilities.[61]

MoonWind

MoonWind has a keylogger.[62]

NanoCore

NanoCore can perform keylogging on the victim’s machine.[63]

NavRAT

NavRAT logs the keystrokes on the targeted system.[64]

NetTraveler

NetTraveler contains a keylogger.[65]

NETWIRE

NETWIRE can perform keylogging.[66][67]

OilRig

OilRig has used a keylogging tool called KEYPUNCH.[68]

OwaAuth

OwaAuth captures and DES-encrypts credentials before writing the username and password to a log file, C:\log.txt.[47]

PLATINUM

PLATINUM has used several different keyloggers.

PlugX

PlugX has a module for capturing keystrokes per process including window titles.[69]

PoisonIvy

PoisonIvy contains a keylogger.[70][71]

PoshC2

PoshC2 has modules for keystroke logging and capturing credentials from spoofed Outlook authentication messages.[72]

PowerSploit

PowerSploit's Get-Keystrokes Exfiltration module can log keystrokes.[73][74]

Prikormka

Prikormka contains a keylogger module that collects keystrokes and the titles of foreground windows.[75]

Proton

Proton uses a keylogger to capture keystrokes.[56]

Pupy

Pupy uses a keylogger to capture keystrokes it then sends back to the server after it is stopped.[76]

QuasarRAT

QuasarRAT has a built-in keylogger.[77][78]

Regin

Regin contains a keylogger.[79]

Remcos

Remcos has a command for keylogging.[80][81]

Remexi

Remexi gathers and exfiltrates keystrokes from the machine.[82]

Remsec

Remsec contains a keylogger component.[83][84]

ROKRAT

ROKRAT uses a keylogger to capture keystrokes and location of where the user is typing.[85]

Rover

Rover has keylogging functionality.[86]

RTM

RTM can record keystrokes from both the keyboard and virtual keyboard.[87]

RunningRAT

RunningRAT captures keystrokes and sends them back to the C2 server.[88]

Sowbug

Sowbug has used keylogging tools.[89]

SslMM

SslMM creates a new thread implementing a keylogging facility using Windows Keyboard Accelerators.[90]

Stolen Pencil

Stolen Pencil has a tool to log keystrokes to %userprofile%\appdata\roaming\apach.{txt,log}.[91]

Sykipot

Sykipot contains keylogging functionality to steal passwords.[92]

Threat Group-3390

Threat Group-3390 actors installed a credential logger on Microsoft Exchange servers. Threat Group-3390 also leveraged the reconnaissance framework, ScanBox, to capture keystrokes.[47][93][94]

TinyZBot

TinyZBot contains keylogger functionality.[95]

Unknown Logger

Unknown Logger is capable of recording keystrokes.[14]

VERMIN

VERMIN collects keystrokes from the victim machine.[96]

XAgentOSX

XAgentOSX contains keylogging functionality that will monitor for active application windows and write them to the log, it can handle special characters, and it will buffer by default 50 characters before sending them out over the C2 infrastructure.[97]

yty

yty uses a keylogger plugin to gather keystrokes.[98]

Zeus Panda

Zeus Panda can perform keylogging on the victim’s machine by hooking the functions TranslateMessage and WM_KEYDOWN.[99]

Mitigation

Identify and block potentially malicious software that may be used to acquire credentials or information from the user by using whitelisting [100] tools, like AppLocker, [101] [102] or Software Restriction Policies [103] where appropriate. [104]

In cases where this behavior is difficult to detect or mitigate, efforts can be made to lessen some of the impact that might result from an adversary acquiring credential information. It is also good practice to follow mitigation recommendations for adversary use of Valid Accounts.

Detection

Keyloggers may take many forms, possibly involving modification to the Registry and installation of a driver, setting a hook, or polling to intercept keystrokes. Commonly used API calls include SetWindowsHook, GetKeyState, and GetAsyncKeyState. [1] Monitor the Registry and file system for such changes and detect driver installs, as well as looking for common keylogging API calls. API calls alone are not an indicator of keylogging, but may provide behavioral data that is useful when combined with other information such as new files written to disk and unusual processes.

Monitor the Registry for the addition of a Custom Credential Provider. [2] Detection of compromised Valid Accounts in use by adversaries may help to catch the result of user input interception if new techniques are used.

References

  1. Tinaztepe, E. (n.d.). The Adventures of a Keystroke: An in-depth look into keyloggers on Windows. Retrieved April 27, 2016.
  2. Wrightson, T. (2012, January 2). CAPTURING WINDOWS 7 CREDENTIALS AT LOGON USING CUSTOM CREDENTIAL PROVIDER. Retrieved November 12, 2014.
  3. Adair, S. (2015, October 7). Virtual Private Keylogging: Cisco Web VPNs Leveraged for Access and Persistence. Retrieved March 20, 2017.
  4. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  5. Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
  6. Brumaghin, E., et al. (2018, October 15). Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox. Retrieved November 5, 2018.
  7. The DigiTrust Group. (2017, January 12). The Rise of Agent Tesla. Retrieved November 5, 2018.
  8. Zhang, X. (2017, June 28). In-Depth Analysis of A New Variant of .NET Malware AgentTesla. Retrieved November 5, 2018.
  9. Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015.
  10. Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.
  11. Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.
  12. FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018.
  13. Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved April 17, 2019.
  14. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
  15. Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018.
  16. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  17. Bar, T., Conant, S. (2017, October 20). BadPatch. Retrieved November 13, 2018.
  18. Galperin, E., Et al.. (2016, August 4). When Governments Attack: State Sponsored Malware Attacks Against Activists, Lawyers, and Journalists. Retrieved May 23, 2018.
  19. Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.
  20. Baumgartner, K. and Garnaeva, M.. (2014, November 3). BE2 custom plugins, router abuse, and target profiles. Retrieved March 24, 2016.
  21. Kaspersky Lab's Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved August 23, 2018.
  22. Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.
  23. Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018.
  24. Balanza, M. (2018, April 02). Infostealer.Catchamas. Retrieved July 10, 2018.
  25. Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
  26. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
  27. Yadav, A., et al. (2017, August 31). Cobian RAT – A backdoored RAT. Retrieved November 13, 2018.
  28. F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
  29. TrendMicro. (2014, September 03). DARKCOMET. Retrieved November 6, 2018.
  30. Kaspersky Lab's Global Research and Analysis Team. (2014, November). The Darkhotel APT A Story of Unusual Hospitality. Retrieved November 12, 2014.
  31. Chen, J. and Hsieh, M. (2017, November 7). REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography. Retrieved December 27, 2017.
  32. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  33. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  34. FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.
  35. Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018.
  36. Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015.
  37. ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
  38. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  39. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  40. Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.
  41. Vengerik, B. et al.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved December 17, 2018.
  42. Vengerik, B. & Dennesen, K.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved January 15, 2019.
  43. Alintanahin, K. (2014, March 13). Kunming Attack Leads to Gh0st RAT Variant. Retrieved November 12, 2014.
  44. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.
  45. Scott-Railton, J., et al. (2016, August 2). Group5: Syria and the Iranian Connection. Retrieved September 26, 2016.
  46. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
  47. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
  48. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
  49. Sharma, R. (2018, August 15). Revamped jRAT Uses New Anti-Parsing Techniques. Retrieved September 21, 2018.
  50. Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.
  51. Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016.
  52. Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018.
  1. Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018.
  2. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  3. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Tools Report. Retrieved March 10, 2016.
  4. Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
  5. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
  6. ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.
  7. Minerva Labs LTD and ClearSky Cyber Security. (2015, November 23). CopyKittens Attack Group. Retrieved September 11, 2017.
  8. United States District Court Southern District of New York (USDC SDNY) . (2018, December 17). United States of America v. Zhu Hua and Zhang Shilong. Retrieved April 17, 2019.
  9. Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018.
  10. Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017.
  11. Kasza, A., Halfpop, T. (2016, February 09). NanoCoreRAT Behind an Increase in Tax-Themed Phishing E-mails. Retrieved November 9, 2018.
  12. Mercer, W., Rascagneres, P. (2018, May 31). NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea. Retrieved June 11, 2018.
  13. Kaspersky Lab's Global Research and Analysis Team. (n.d.). The NetTraveler (aka ‘Travnet’). Retrieved November 12, 2014.
  14. McAfee. (2015, March 2). Netwire RAT Behind Recent Targeted Attacks. Retrieved February 15, 2018.
  15. Davis, S. and Carr, N. (2017, September 21). APT33: New Insights into Iranian Cyber Espionage Group. Retrieved February 15, 2018.
  16. Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017.
  17. Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018.
  18. FireEye. (2014). POISON IVY: Assessing Damage and Extracting Intelligence. Retrieved November 12, 2014.
  19. Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018.
  20. Nettitude. (2016, June 8). PoshC2: Powershell C2 Server and Implants. Retrieved April 23, 2019.
  21. PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018.
  22. PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018.
  23. Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.
  24. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  25. MaxXor. (n.d.). QuasarRAT. Retrieved July 10, 2018.
  26. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.
  27. Kaspersky Lab's Global Research and Analysis Team. (2014, November 24). THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS. Retrieved December 1, 2014.
  28. Bacurio, F., Salvio, J. (2017, February 14). REMCOS: A New RAT In The Wild. Retrieved November 6, 2018.
  29. Brumaghin, E., Unterbrink, H. (2018, August 22). Picking Apart Remcos Botnet-In-A-Box. Retrieved November 6, 2018.
  30. Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019.
  31. Symantec Security Response. (2016, August 8). Backdoor.Remsec indicators of compromise. Retrieved August 17, 2016.
  32. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.
  33. Mercer, W., Rascagneres, P. (2017, April 03). Introducing ROKRAT. Retrieved May 21, 2018.
  34. Ray, V., Hayashi, K. (2016, February 29). New Malware ‘Rover’ Targets Indian Ambassador to Afghanistan. Retrieved February 29, 2016.
  35. Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  36. Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018.
  37. Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017.
  38. Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019.
  39. ASERT team. (2018, December 5). STOLEN PENCIL Campaign Targets Academia. Retrieved February 5, 2019.
  40. Blasco, J. (2012, January 12). Sykipot variant hijacks DOD and Windows smart cards. Retrieved January 10, 2016.
  41. Khandelwal, S. (2018, June 14). Chinese Hackers Carried Out Country-Level Watering Hole Attack. Retrieved August 18, 2018.
  42. Legezo, D. (2018, June 13). LuckyMouse hits national data center to organize country-level waterholing campaign. Retrieved August 18, 2018.
  43. Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017.
  44. Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018.
  45. Robert Falcone. (2017, February 14). XAgentOSX: Sofacy's Xagent macOS Tool. Retrieved July 12, 2017.
  46. Schwarz, D., Sopko J. (2018, March 08). Donot Team Leverages New Modular Malware Framework in South Asia. Retrieved June 11, 2018.
  47. Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018.
  48. Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.
  49. Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.
  50. NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.
  51. Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.
  52. Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.