Input Capture

Jump to: navigation, search
Input Capture
ID T1056
Tactic Collection, Credential Access
Platform Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1
Permissions Required Administrator, SYSTEM
Data Sources Windows Registry, Kernel drivers, Process monitoring, API monitoring
Contributors John Lambert, Microsoft Threat Intelligence Center

Adversaries can use methods of capturing user input for obtaining credentials for Legitimate Credentials and information Collection that include keylogging and user input field interception.

Keylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes,1 but other methods exist to target information for specific purposes, such as performing a UAC prompt or wrapping the Windows default credential provider.2

Keylogging is likely to be used to acquire credentials for new access opportunities when Credential Dumping efforts are not effective, and may require an adversary to remain passive on a system for a period of time before an opportunity arises.

Adversaries may also install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. This variation on input capture may be conducted post-compromise using legitimate administrative access as a backup measure to maintain network access through External Remote Services and Legitimate Credentials or as part of the initial compromise by exploitation of the externally facing web service.3


  • APT28 can deploy a tool to perform keylogging.4
  • Darkhotel uses a sophisticated keylogger.5
  • APT3 has used a keylogging tool that records keystrokes in encrypted files.6
  • Threat Group-3390 actors installed a credential logger on Microsoft Exchange servers.7
  • Lazarus Group malware KiloAlfa contains keylogging functionality.8
  • Malware used by Group5 is capable of capturing keystrokes.9
  • TinyZBot contains keylogger functionality.10
  • PoisonIvy contains a keylogger.11
  • Sykipot contains keylogging functionality to steal passwords.12
  • Regin contains a keylogger.13
  • CHOPSTICK is capable of performing keylogging.1415
  • Carbanak contains keylogger functionality.16
  • The gh0st RAT has a keylogger.17
  • NetTraveler contains a keylogger.18
  • Duqu can track key presses with a keylogger module.19
  • ADVSTORESHELL can perform keylogging.1520
  • CosmicDuke uses a keylogger and steals clipboard contents from victims.21
  • SslMM creates a new thread implementing a keylogging facility using Windows Keyboard Accelerators.22
  • DustySky contains a keylogger.23
  • HTTPBrowser is capable of capturing keystrokes on victims.7
  • OwaAuth captures and DES-encrypts credentials before writing the username and password to a log file, C:\log.txt.7
  • FakeM contains a keylogger module.24
  • Kasidet has the ability to initiate keylogging.25
  • BlackEnergy has run a keylogger plug-in on a victim.26
  • Rover has keylogging functionality.27
  • Prikormka contains a keylogger module that collects keystrokes and the titles of foreground windows.28
  • Remsec contains a keylogger component.2930
  • When it first starts, BADNEWS spawns a new thread to log keystrokes.31
  • Unknown Logger is capable of recording keystrokes.31
  • RTM can record keystrokes from both the keyboard and virtual keyboard.32
  • MoonWind has a keylogger.33


Identify and block potentially malicious software that may be used to acquire credentials or information from the user by using whitelisting34 tools, like AppLocker,3536 or Software Restriction Policies37 where appropriate.38

In cases where this behavior is difficult to detect or mitigate, efforts can be made to lessen some of the impact that might result from an adversary acquiring credential information. It is also good practice to follow mitigation recommendations for adversary use of Legitimate Credentials.


Keyloggers may take many forms, possibly involving modification to the Registry and installation of a driver, setting a hook, or polling to intercept keystrokes. Commonly used API calls include SetWindowsHook, GetKeyState, and GetAsynceyState.1 Monitor the Registry and file system for such changes and detect driver installs, as well as looking for common keylogging API calls. API calls alone are not an indicator of keylogging, but may provide behavioral data that is useful when combined with other information such as new files written to disk and unusual processes.

Monitor the Registry for the addition of a Custom Credential Provider.2 Detection of compromised Legitimate Credentials in use by adversaries may help to catch the result of user input interception if new techniques are used.


  1. a b  Tinaztepe, E. (n.d.). The Adventures of a Keystroke: An in-depth look into keyloggers on Windows. Retrieved April 27, 2016.
  2. a b  Wrightson, T. (2012, January 2). CAPTURING WINDOWS 7 CREDENTIALS AT LOGON USING CUSTOM CREDENTIAL PROVIDER. Retrieved November 12, 2014.
  3. ^  Adair, S. (2015, October 7). Virtual Private Keylogging: Cisco Web VPNs Leveraged for Access and Persistence. Retrieved March 20, 2017.
  4. ^  Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015.
  5. ^  Kaspersky Lab's Global Research and Analysis Team. (2014, November). The Darkhotel APT A Story of Unusual Hospitality. Retrieved November 12, 2014.
  6. ^  Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.
  7. a b c  Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved January 25, 2016.
  8. ^  Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Tools Report. Retrieved March 10, 2016.
  9. ^  Scott-Railton, J., et al. (2016, August 2). Group5: Syria and the Iranian Connection. Retrieved September 26, 2016.
  10. ^  Cylance. (2014, December). Operation Cleaver. Retrieved December 4, 2014.
  11. ^  FireEye. (2014). POISON IVY: Assessing Damage and Extracting Intelligence. Retrieved November 12, 2014.
  12. ^  Blasco, J. (2012, January 12). Sykipot variant hijacks DOD and Windows smart cards. Retrieved January 10, 2016.
  13. ^  Kaspersky Lab's Global Research and Analysis Team. (2014, November 24). THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS. Retrieved December 1, 2014.
  14. ^  Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
  15. a b  ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  16. ^  Kaspersky Lab's Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved March 3, 2015.
  17. ^  Alintanahin, K. (2014, March 13). Kunming Attack Leads to Gh0st RAT Variant. Retrieved November 12, 2014.
  18. ^  Kaspersky Lab's Global Research and Analysis Team. (n.d.). The NetTraveler (aka ‘Travnet’). Retrieved November 12, 2014.
  19. ^  Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015.
  1. ^  Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
  2. ^  F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
  3. ^  Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved December 17, 2015.
  4. ^  ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
  5. ^  Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.
  6. ^  Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016.
  7. ^  Baumgartner, K. and Garnaeva, M.. (2014, November 3). BE2 custom plugins, router abuse, and target profiles. Retrieved March 24, 2016.
  8. ^  Ray, V., Hayashi, K. (2016, February 29). New Malware ‘Rover’ Targets Indian Ambassador to Afghanistan. Retrieved February 29, 2016.
  9. ^  Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.
  10. ^  Symantec Security Response. (2016, August 8). Backdoor.Remsec indicators of compromise. Retrieved August 17, 2016.
  11. ^  Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.
  12. a b  Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
  13. ^  Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  14. ^  Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017.
  15. ^  Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.
  16. ^  Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.
  17. ^  NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.
  18. ^  Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.
  19. ^  Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.