ID | Name |
---|---|
T1056.001 | Keylogging |
T1056.002 | GUI Input Capture |
T1056.003 | Web Portal Capture |
T1056.004 | Credential API Hooking |
Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when OS Credential Dumping efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured.
Keylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes.[1] Some methods include:
ID | Name | Description |
---|---|---|
S0045 | ADVSTORESHELL |
ADVSTORESHELL can perform keylogging.[3][4] |
S0331 | Agent Tesla |
Agent Tesla can log keystrokes on the victim’s machine.[5][6][7][8][9] |
G0130 | Ajax Security Team |
Ajax Security Team has used CWoolger and MPK, custom-developed malware, which recorded all keystrokes on an infected system.[10] |
S0622 | AppleSeed |
AppleSeed can use |
G0007 | APT28 | |
G0022 | APT3 |
APT3 has used a keylogging tool that records keystrokes in encrypted files.[16] |
G0050 | APT32 |
APT32 has abused the PasswordChangeNotify to monitor for and capture account password changes.[17] |
G0082 | APT38 |
APT38 used a Trojan called KEYLIME to capture keystrokes from the victim’s machine.[18] |
G0087 | APT39 | |
G0096 | APT41 |
APT41 used a keylogger called GEARSHIFT on a target system.[21] |
S0373 | Astaroth | |
S0438 | Attor |
One of Attor's plugins can collect user credentials via capturing keystrokes and can capture keystrokes pressed within the window of the injected process.[23] |
S0414 | BabyShark |
BabyShark has a PowerShell-based remote administration ability that can implement a PowerShell or C# based keylogger.[24] |
S0128 | BADNEWS |
When it first starts, BADNEWS spawns a new thread to log keystrokes.[25][26][27] |
S0337 | BadPatch | |
S0234 | Bandook | |
S0017 | BISCUIT | |
S0089 | BlackEnergy |
BlackEnergy has run a keylogger plug-in on a victim.[31] |
S0454 | Cadelspy |
Cadelspy has the ability to log keystrokes on the compromised host.[32] |
S0030 | Carbanak |
Carbanak logs key strokes for configured processes and sends them back to the C2 server.[33][34] |
S0348 | Cardinal RAT |
Cardinal RAT can log keystrokes.[35] |
S0261 | Catchamas |
Catchamas collects keystrokes from the victim’s machine.[36] |
S0023 | CHOPSTICK | |
S0660 | Clambling |
Clambling can capture keystrokes on a compromised host.[38][39] |
S0154 | Cobalt Strike |
Cobalt Strike can track key presses with a keylogger module.[40][41][42] |
S0338 | Cobian RAT |
Cobian RAT has a feature to perform keylogging on the victim’s machine.[43] |
S0050 | CosmicDuke |
CosmicDuke uses a keylogger.[44] |
S0115 | Crimson |
Crimson can use a module to perform keylogging on compromised hosts.[45][46] |
S0625 | Cuba |
Cuba logs keystrokes via polling by using |
S0334 | DarkComet | |
G0012 | Darkhotel | |
S0673 | DarkWatchman |
DarkWatchman can track key presses with a keylogger module.[50] |
S0187 | Daserf | |
S0021 | Derusbi | |
S0213 | DOGCALL | |
S0567 | Dtrack | |
S0038 | Duqu | |
S0062 | DustySky | |
S0593 | ECCENTRICBANDWAGON |
ECCENTRICBANDWAGON can capture and store keystrokes.[59] |
S0363 | Empire |
Empire includes keylogging capabilities for Windows, Linux, and macOS systems.[60] |
S0152 | EvilGrab | |
S0569 | Explosive |
Explosive has leveraged its keylogging capabilities to gain access to administrator accounts on target servers.[62][63] |
S0076 | FakeM | |
G0085 | FIN4 |
FIN4 has captured credentials via fake Outlook Web App (OWA) login pages and has also used a .NET based keylogger.[65][66] |
S0410 | Fysbis | |
S0032 | gh0st RAT | |
S0531 | Grandoreiro |
Grandoreiro can log keystrokes on the victim's machine.[70] |
S0342 | GreyEnergy |
GreyEnergy has a module to harvest pressed keystrokes.[71] |
G0043 | Group5 |
Malware used by Group5 is capable of capturing keystrokes.[72] |
S0170 | Helminth |
The executable version of Helminth has a module to log keystrokes.[73] |
S0070 | HTTPBrowser |
HTTPBrowser is capable of capturing keystrokes on victims.[74] |
S0434 | Imminent Monitor |
Imminent Monitor has a keylogging module.[75] |
S0260 | InvisiMole |
InvisiMole can capture keystrokes on a compromised host.[76] |
S0201 | JPIN | |
S0283 | jRAT |
jRAT has the capability to log keystrokes from the victim’s machine, both offline and online.[78][79] |
S0088 | Kasidet | |
G0004 | Ke3chang | |
S0387 | KeyBoy |
KeyBoy installs a keylogger for intercepting credentials and keystrokes.[83] |
S0526 | KGH_SPY |
KGH_SPY can perform keylogging by polling the |
G0094 | Kimsuky |
Kimsuky has used a PowerShell-based keylogger as well as a tool called MECHANICAL to log keystrokes.[85][86][87][88][89][12] |
S0437 | Kivars |
Kivars has the ability to initiate keylogging on the infected host.[90] |
S0356 | KONNI | |
G0032 | Lazarus Group |
Lazarus Group malware KiloAlfa contains keylogging functionality.[92][93] |
S0447 | Lokibot |
Lokibot has the ability to capture input on the compromised host via keylogging.[94] |
S0409 | Machete |
Machete logs keystrokes from the victim’s machine.[95][96][97][98] |
S0282 | MacSpy | |
G0059 | Magic Hound |
Magic Hound malware is capable of keylogging.[100] |
S0652 | MarkiRAT |
MarkiRAT can capture all keystrokes on a compromised host.[101] |
S0167 | Matryoshka |
Matryoshka is capable of keylogging.[102][103] |
G0045 | menuPass |
menuPass has used key loggers to steal usernames and passwords.[104] |
S0455 | Metamorfo |
Metamorfo has a command to launch a keylogger and capture keystrokes on the victim’s machine.[105][106] |
S0339 | Micropsia | |
S0149 | MoonWind | |
S0336 | NanoCore |
NanoCore can perform keylogging on the victim’s machine.[109] |
S0247 | NavRAT | |
S0033 | NetTraveler |
NetTraveler contains a keylogger.[111] |
S0198 | NETWIRE | |
S0385 | njRAT | |
G0049 | OilRig |
OilRig has used keylogging tools called KEYPUNCH and LONGWATCH.[119][120] |
S0439 | Okrum |
Okrum was seen using a keylogger tool to capture keystrokes. [121] |
G0116 | Operation Wocao |
Operation Wocao has obtained the password for the victim's password manager via a custom keylogger.[122] |
S0072 | OwaAuth |
OwaAuth captures and DES-encrypts credentials before writing the username and password to a log file, |
S0643 | Peppy | |
G0068 | PLATINUM | |
S0013 | PlugX |
PlugX has a module for capturing keystrokes per process including window titles.[123] |
S0428 | PoetRAT |
PoetRAT has used a Python tool named klog.exe for keylogging.[124] |
S0012 | PoisonIvy | |
S0378 | PoshC2 |
PoshC2 has modules for keystroke logging and capturing credentials from spoofed Outlook authentication messages.[127] |
S0194 | PowerSploit |
PowerSploit's |
S0113 | Prikormka |
Prikormka contains a keylogger module that collects keystrokes and the titles of foreground windows.[130] |
S0279 | Proton | |
S0192 | Pupy |
Pupy uses a keylogger to capture keystrokes it then sends back to the server after it is stopped.[131] |
S0650 | QakBot |
QakBot can capture keystrokes on a compromised host.[132][133][134] |
S0262 | QuasarRAT | |
S0662 | RCSession |
RCSession has the ability to capture keystrokes on a compromised host.[38][137] |
S0019 | Regin | |
S0332 | Remcos | |
S0375 | Remexi |
Remexi gathers and exfiltrates keystrokes from the machine.[141] |
S0125 | Remsec | |
S0379 | Revenge RAT |
Revenge RAT has a plugin for keylogging.[144][145] |
S0240 | ROKRAT |
ROKRAT can use |
S0090 | Rover | |
S0148 | RTM |
RTM can record keystrokes from both the keyboard and virtual keyboard.[149][150] |
S0253 | RunningRAT |
RunningRAT captures keystrokes and sends them back to the C2 server.[151] |
G0034 | Sandworm Team |
Sandworm Team has used a keylogger to capture keystrokes by using the SetWindowsHookEx function.[152] |
S0692 | SILENTTRINITY |
SILENTTRINITY has a keylogging capability.[153] |
S0533 | SLOTHFULMEDIA |
SLOTHFULMEDIA has a keylogging capability.[154] |
S0649 | SMOKEDHAM | |
G0054 | Sowbug | |
S0058 | SslMM |
SslMM creates a new thread implementing a keylogging facility using Windows Keyboard Accelerators.[158] |
S0018 | Sykipot |
Sykipot contains keylogging functionality to steal passwords.[159] |
S0467 | TajMahal |
TajMahal has the ability to capture keystrokes on an infected host.[160] |
S0595 | ThiefQuest |
ThiefQuest uses the |
G0027 | Threat Group-3390 |
Threat Group-3390 actors installed a credential logger on Microsoft Exchange servers. Threat Group-3390 also leveraged the reconnaissance framework, ScanBox, to capture keystrokes.[74][162][163] |
S0004 | TinyZBot | |
G0131 | Tonto Team |
Tonto Team has used keylogging tools in their operations.[165] |
S0094 | Trojan.Karagany |
Trojan.Karagany can capture keystrokes on a compromised host.[166] |
S0130 | Unknown Logger |
Unknown Logger is capable of recording keystrokes.[25] |
S0257 | VERMIN | |
S0670 | WarzoneRAT |
WarzoneRAT has the capability to install a live and offline keylogger, including through the use of the |
S0161 | XAgentOSX |
XAgentOSX contains keylogging functionality that will monitor for active application windows and write them to the log, it can handle special characters, and it will buffer by default 50 characters before sending them out over the C2 infrastructure.[170] |
S0248 | yty | |
S0330 | Zeus Panda |
Zeus Panda can perform keylogging on the victim’s machine by hooking the functions TranslateMessage and WM_KEYDOWN.[172] |
S0412 | ZxShell |
ZxShell has a feature to capture a remote computer's keystrokes using a keylogger.[21][173] |
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
ID | Data Source | Data Component |
---|---|---|
DS0027 | Driver | Driver Load |
DS0009 | Process | OS API Execution |
DS0024 | Windows Registry | Windows Registry Key Modification |
Keyloggers may take many forms, possibly involving modification to the Registry and installation of a driver, setting a hook, or polling to intercept keystrokes. Commonly used API calls include SetWindowsHook
, GetKeyState
, and GetAsyncKeyState
.[1] Monitor the Registry and file system for such changes, monitor driver installs, and look for common keylogging API calls. API calls alone are not an indicator of keylogging, but may provide behavioral data that is useful when combined with other information such as new files written to disk and unusual processes.