{ "type": "bundle", "id": "bundle--cd54fd9f-ebb0-49ef-b159-43cf2be40d45", "spec_version": "2.0", "objects": [ { "modified": "2023-03-30T21:01:37.930Z", "name": "Keylogging", "description": "Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured.\n\nKeylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes.(Citation: Adventures of a Keystroke) Some methods include:\n\n* Hooking API callbacks used for processing keystrokes. Unlike [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004), this focuses solely on API functions intended for processing keystroke data.\n* Reading raw keystroke data from the hardware buffer.\n* Windows Registry modifications.\n* Custom drivers.\n* [Modify System Image](https://attack.mitre.org/techniques/T1601) may provide adversaries with hooks into the operating system of network devices to read raw keystrokes for login sessions.(Citation: Cisco Blog Legacy Device Attacks) ", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "collection" }, { "kill_chain_name": "mitre-attack", "phase_name": "credential-access" } ], "x_mitre_detection": "Keyloggers may take many forms, possibly involving modification to the Registry and installation of a driver, setting a hook, or polling to intercept keystrokes. Commonly used API calls include `SetWindowsHook`, `GetKeyState`, and `GetAsyncKeyState`.(Citation: Adventures of a Keystroke) Monitor the Registry and file system for such changes, monitor driver installs, and look for common keylogging API calls. API calls alone are not an indicator of keylogging, but may provide behavioral data that is useful when combined with other information such as new files written to disk and unusual processes.", "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Windows", "macOS", "Linux", "Network" ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ "Process: OS API Execution", "Windows Registry: Windows Registry Key Modification", "Driver: Driver Load" ], "x_mitre_permissions_required": [ "Administrator", "root", "SYSTEM", "User" ], "type": "attack-pattern", "id": "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4", "created": "2020-02-11T18:58:11.791Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1056/001", "external_id": "T1056.001" }, { "source_name": "Adventures of a Keystroke", "description": "Tinaztepe, E. (n.d.). The Adventures of a Keystroke: An in-depth look into keyloggers on Windows. Retrieved April 27, 2016.", "url": "http://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdf" }, { "source_name": "Cisco Blog Legacy Device Attacks", "description": "Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.", "url": "https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0" } ] }