Input Capture, Technique T1056 - Enterprise | MITRE ATT&CK®

Input Capture

Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture).

ID: T1056
Sub-techniques:  T1056.001, T1056.002, T1056.003, T1056.004
Platforms: Linux, Network, Windows, macOS
Contributors: John Lambert, Microsoft Threat Intelligence Center
Version: 1.3
Created: 31 May 2017
Last Modified: 13 August 2024

Procedure Examples

ID Name Description
G0087 APT39

APT39 has utilized tools to capture mouse movements.[1]

S0631 Chaes

Chaes has a module to perform any API hooking it desires.[2]

S0381 FlawedAmmyy

FlawedAmmyy can collect mouse events.[3]

S0641 Kobalos

Kobalos has used a compromised SSH client to capture the hostname, port, username and password used to establish an SSH connection from the compromised host.[4][5]

S1060 Mafalda

Mafalda can conduct mouse event logging.[6]

S1059 metaMain

metaMain can log mouse events.[6]

S1131 NPPSPY

NPPSPY captures user input into the Winlogon process by redirecting RPC traffic from legitimate listening DLLs within the operating system to a newly registered malicious item that allows for recording logon information in cleartext.[7]

C0039 Versa Director Zero Day Exploitation

Versa Director Zero Day Exploitation intercepted and harvested credentials from user logins to compromised devices.[8]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

ID Data Source Data Component Detects
DS0027 Driver Driver Load

Monitor for unusual kernel driver installation activity.

Analytic 1 - Unexpected kernel driver installations.

index=security sourcetype="WinEventLog:System" EventCode=7045 | where match(Service_Name, "(?i)(keylogger|input|capture|sniff|monitor|keyboard|logger|driver)")

DS0022 File File Modification

Monitor for changes made to files for unexpected modifications to access permissions and attributes.

Analytic 1 - Unexpected file modifications.

index=security sourcetype="WinEventLog:Security" EventCode=4663 | where Object_Type="File" AND Access_Mask IN ("0x2", "0x4", "0x20", "0x80", "0x100")

DS0009 Process OS API Execution

Monitor for API calls to SetWindowsHook, GetKeyState, and GetAsyncKeyState [9]

Process Creation

Monitor for newly executed processes conducting malicious activity

Process Metadata

Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow.

DS0024 Windows Registry Windows Registry Key Modification

Monitor for changes made to windows registry keys or values for unexpected modifications

References