Input Capture

Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture).

ID: T1056
Sub-techniques:  T1056.001, T1056.002, T1056.003, T1056.004
Platforms: Linux, Network, Windows, macOS
Permissions Required: Administrator, SYSTEM, User, root
Contributors: John Lambert, Microsoft Threat Intelligence Center
Version: 1.2
Created: 31 May 2017
Last Modified: 30 March 2023

Procedure Examples

ID Name Description
G0087 APT39

APT39 has utilized tools to capture mouse movements.[1]

S0631 Chaes

Chaes has a module to perform any API hooking it desires.[2]

S0381 FlawedAmmyy

FlawedAmmyy can collect mouse events.[3]

S0641 Kobalos

Kobalos has used a compromised SSH client to capture the hostname, port, username and password used to establish an SSH connection from the compromised host.[4][5]

S1060 Mafalda

Mafalda can conduct mouse event logging.[6]

S1059 metaMain

metaMain can log mouse events.[6]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

ID Data Source Data Component Detects
DS0027 Driver Driver Load

Monitor for unusual kernel driver installation activity

DS0022 File File Modification

Monitor for changes made to files for unexpected modifications to access permissions and attributes

DS0009 Process OS API Execution

Monitor for API calls to SetWindowsHook, GetKeyState, and GetAsyncKeyState [7]

Process Creation

Monitor for newly executed processes conducting malicious activity

Process Metadata

Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow.

DS0024 Windows Registry Windows Registry Key Modification

Monitor for changes made to windows registry keys or values for unexpected modifications

References