Input Capture: Keylogging

Adversaries may log user keystrokes to intercept credentials and password-protected machine identities as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when OS Credential Dumping efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured.

Keylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes.[1] Some methods include:

  • Hooking API callbacks used for processing keystrokes. Unlike Credential API Hooking, this focuses solely on API functions intended for processing keystroke data.
  • Reading raw keystroke data from the hardware buffer.
  • Windows Registry modifications.
  • Custom drivers.
  • Modify System Image may provide adversaries with hooks into the operating system of network devices to read raw keystrokes for login sessions.[2]

Procedure Examples

Name Description
APT39

APT39 has used tools for capturing keystrokes.[3]

APT41

APT41 used a keylogger called GEARSHIFT on a target system.[4]

BADNEWS

When it first starts, BADNEWS spawns a new thread to log keystrokes.[5][6][7]

Cobalt Strike

Cobalt Strike can track key presses with a keylogger module.[8]

Machete

Machete logs keystrokes from the victim’s machine.[9][10][11][12]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

Keyloggers may take many forms, possibly involving modification to the Registry and installation of a driver, setting a hook, or polling to intercept keystrokes. Commonly used API calls include SetWindowsHook, GetKeyState, and GetAsyncKeyState.[1] Monitor the Registry and file system for such changes, monitor driver installs, and look for common keylogging API calls. API calls alone are not an indicator of keylogging, but may provide behavioral data that is useful when combined with other information such as new files written to disk and unusual processes.

References

Attachments

ID
VT0018.001
Sub-techniques
Tactics
Collection
Credential Access
Platforms
Linux
Network
Windows
macOS
Permissions Required
Administrator
SYSTEM
User
root
Data Sources
API monitoring
Process monitoring
Windows Registry
CAPEC ID
Version
1.1

Created: 27 December 2020

Last Modified: 27 December 2020