Adversaries may simulate keystrokes on a victim’s computer by various means to perform any type of action on behalf of the user, such as launching the command interpreter using keyboard shortcuts, typing an inline script to be executed, or interacting directly with a GUI-based application. These actions can be preprogrammed into adversary tooling or executed through physical devices such as Human Interface Devices (HIDs).
For example, adversaries have used tooling that monitors the Windows message loop to detect when a user visits bank-specific URLs. If detected, the tool then simulates keystrokes to open the developer console or select the address bar, pastes malicious JavaScript from the clipboard, and executes it - enabling manipulation of content within the browser, such as replacing bank account numbers during transactions.[1][2]
Adversaries have also used malicious USB devices to emulate keystrokes that launch PowerShell, leading to the download and execution of malware from adversary-controlled servers.[3]
| ID | Name | Description |
|---|---|---|
| G0046 | FIN7 |
FIN7 has used malicious USBs to emulate keystrokes to launch PowerShell to download and execute malware from the adversary's server.[4] |
| ID | Mitigation | Description |
|---|---|---|
| M1038 | Execution Prevention |
Denylist scripting and use application control where appropriate. For example, PowerShell Constrained Language mode can be used to restrict access to sensitive or otherwise dangerous language elements such as those used to execute arbitrary Windows APIs or files (e.g., |
| M1034 | Limit Hardware Installation |
Limit the use of USB devices and removable media within a network. |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0016 | Drive | Drive Creation |
Monitor for newly executed processes when removable media is mounted. Additionally, monitor for unexpected or rapid USB HID enumeration events (e.g., a USB HID device connecting and immediately issuing keystrokes) or anomalies (e.g., a device claiming to be a keyboard but has a suspicious vendor ID) that could indicate a possible rogue device. Tools like Windows Event Logs (e.g., event IDs 20001 - 20003), sysfs on Linux (e.g., Additionally, consider leveraging keyboard hook APIs to monitor for keystrokes that are too fast and too uniform (e.g., a script executing keystrokes with no human variation or that are too precise). Analytic 1 Detect HID like Device Injection
|
| DS0009 | Process | Process Creation |
Monitor log files for process execution through command-line and scripting activities. Additionally monitor for various tools launching keystrokes such as PowerShell, AutoHotkey, xdotool, AppleScript, or WScript. Analytic 1 - Unusual Input Simulators
|
| DS0012 | Script | Script Execution |
Monitor for any attempts to enable scripts running on a system that would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. Analytic 1 - Scripts injected via clipboard or keystroke simulation
|