Keylogging

Information

• Name: Keylogging

• ID: T1056.001

• Tactics: TA0009, TA0006

• Technique: T1056

Introduction

Keylogging (T1056.001) is a sub-technique under the Input Capture (T1056) technique within the MITRE ATT&CK framework. It involves capturing keystrokes from users to intercept sensitive information such as credentials, personal data, or financial information. Attackers typically use keylogging to obtain initial access, maintain persistence, escalate privileges, or facilitate lateral movement within compromised environments.

Deep Dive Into Technique

Keylogging techniques can be implemented through various methods, each differing in complexity, stealth, and effectiveness. Attackers commonly employ the following execution methods:

• Software-based Keyloggers:

  • Malicious software installed on endpoints, often hidden within legitimate applications or delivered via phishing campaigns.

  • Typically utilize hooking or polling methods to intercept keystrokes:

    • Hooking: Injecting code into system APIs or processes to capture keystrokes directly.

    • Polling: Regularly querying system state to detect and record keystrokes.

• Kernel-level Keyloggers:

  • Operate at kernel or driver level, providing deeper integration and higher stealth.

  • Difficult to detect due to their low-level operation and ability to bypass standard security controls.

• Hardware-based Keyloggers:

  • Physical devices connected between keyboard and computer, capturing keystrokes directly.

  • Often undetectable by software-based security tools, requiring physical inspection for detection.

• Memory Injection:

  • Attackers inject malicious code into legitimate processes to evade detection and capture keystrokes stealthily.

  • Examples include DLL injection, process hollowing, or reflective loading.

• Credential Harvesting Tools:

  • Attackers may leverage specialized credential harvesting tools (e.g., Mimikatz) that include keylogging functionalities.

Real-world attackers typically exfiltrate captured keystrokes via encrypted channels, HTTP/S POST requests, SMTP email, or covert channels to evade detection.

When this Technique is Usually Used

Attackers commonly employ keylogging across multiple stages of the cyber kill chain:

• Initial Access and Credential Theft:

  • Capturing login credentials for initial compromise or further exploitation.

  • Used extensively in phishing campaigns to harvest user credentials.

• Persistence and Long-term Surveillance:

  • Continuously monitoring user activity to gather sensitive information over extended periods.

  • Often utilized in Advanced Persistent Threat (APT) campaigns for long-term espionage.

• Privilege Escalation and Lateral Movement:

  • Capturing privileged account credentials to escalate privileges or move laterally within compromised networks.

  • Observing administrative commands and sensitive inputs to facilitate further attacks.

• Financial Fraud and Identity Theft:

  • Capturing banking credentials, credit card numbers, and personal identifiable information (PII) to commit financial fraud or identity theft.

• Espionage and Intellectual Property Theft:

  • Monitoring employee keystrokes to steal sensitive corporate data, intellectual property, or trade secrets.

How this Technique is Usually Detected

Detection methods for keylogging include proactive monitoring, behavioral analysis, and endpoint protection solutions:

• Endpoint Detection and Response (EDR) Solutions:

  • Identify suspicious system behaviors, API hooking, and process injections.

  • Detect anomalous process activities or unusual interactions with system input APIs.

• Behavioral Analytics and Anomaly Detection:

  • Monitor user input patterns and detect deviations from normal behavior.

  • Identify unusual inter-process communications, memory injections, or unauthorized keyboard hooks.

• Antivirus and Anti-malware Software:

  • Signature-based detection of known keylogger binaries or malicious payloads.

  • Heuristic analysis to identify suspicious behaviors indicative of keylogging activities.

• Network Monitoring and Traffic Analysis:

  • Detect unusual outbound network traffic indicative of keystroke exfiltration.

  • Analyze encrypted or covert channels used for data exfiltration.

• Physical Inspection and Hardware Audits:

  • Regularly inspect endpoints and peripherals for unauthorized hardware keyloggers.

  • Verify integrity and authenticity of peripheral devices.

Specific Indicators of Compromise (IoCs) include:

• Unrecognized processes or DLLs hooking keyboard input APIs (e.g., SetWindowsHookEx).

• Suspicious registry modifications or persistence mechanisms.

• Unusual outbound network connections or data transfers.

• Presence of unauthorized hardware devices connected to endpoints.

Why it is Important to Detect This Technique

Early detection of keylogging is critical due to its severe impacts on organizations and individuals, including:

• Credential Theft and Account Compromise:

  • Attackers gain unauthorized access to sensitive accounts, systems, or applications.

  • Compromise of privileged accounts leading to broader network infiltration.

• Data Breaches and Information Leakage:

  • Sensitive corporate data, intellectual property, trade secrets, or personal information may be stolen.

  • Significant financial, regulatory, and reputational damage resulting from breaches.

• Financial Loss and Fraud:

  • Financial account credentials and payment information can be captured, leading to direct monetary loss.

  • Increased risk of identity theft and fraudulent transactions.

• Espionage and Surveillance Risks:

  • Attackers can conduct long-term surveillance, capturing strategic or confidential information.

  • Potential impacts on national security or critical infrastructure if sensitive government or industrial information is compromised.

• Regulatory and Compliance Implications:

  • Organizations may face regulatory penalties, legal action, or compliance violations resulting from undetected keylogging attacks.

  • Potential loss of customer trust and reputation due to compromised user information.

Early detection and response significantly reduces these risks, limits potential damage, and mitigates long-term impacts of keylogging attacks.

Examples

Real-world examples demonstrating keylogging attacks include:

• Agent Tesla Malware:

  • Widely distributed via phishing emails, Agent Tesla includes keylogging capabilities to capture user credentials and sensitive information.

  • Captured data is exfiltrated via SMTP or HTTP/S channels, causing credential compromise and financial fraud.

• HawkEye Keylogger:

  • Delivered through malicious email attachments or exploit kits.

  • Captures keystrokes, clipboard data, and screenshots, exfiltrating data through email or FTP servers, leading to credential theft and identity fraud.

• DarkHotel APT Campaign:

  • Targeted executives staying in luxury hotels by deploying keyloggers via compromised hotel Wi-Fi networks.

  • Captured sensitive corporate data and credentials, facilitating espionage and intellectual property theft.

• FIN7 Group Attacks:

  • Used malicious documents and spear-phishing emails to deploy keyloggers within targeted retail and hospitality organizations.

  • Captured payment card information and credentials leading to significant financial losses.

• Hardware Keylogger Incident (University Data Breach):

  • Attackers physically installed hardware keyloggers on university computers to capture faculty credentials and sensitive research data.

  • Resulted in unauthorized access to confidential research projects and intellectual property loss.

These examples illustrate diverse attack scenarios, tools, and impacts associated with keylogging, highlighting the necessity of robust detection and mitigation strategies.