search
GitHubPsMapExec

Keylogging

https://attack.mitre.org/techniques/T1562/004/

ATT&CK ID: T1056.001arrow-up-right

Permissions Required: Administrator | SYSTEM | root | User

Description

Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when OS Credential Dumping efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured.

Keylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes. Some methods include:

  • Hooking API callbacks used for processing keystrokes. Unlike Credential API Hooking, this focuses solely on API functions intended for processing keystroke data.

  • Reading raw keystroke data from the hardware buffer.

  • Windows Registry modifications.

  • Custom drivers.

  • Modify System Image may provide adversaries with hooks into the operating system of network devices to read raw keystrokes for login sessions.

hashtag
Techniques

hashtag
Empire

usemodule/powershell/collection/keylogger

hashtag
Metasploit

# Meterpreter
keyscan_start
keyscan_dump

# Modules
use post/windows/capture/lockout_keylogger

hashtag
PowerSploit

URL: https://github.com/PowerShellMafia/PowerSploit/blob/dev/Exfiltration/Get-Keystrokes.ps1arrow-up-right

Last updated