Keylogging
April 3, 2025 ยท View on GitHub
| ID | F0002 |
| Objective(s) | Collection, Credential Access |
| Related ATT&CK Techniques | Input Capture: Keylogging (T1056.001, T1417.001) |
| Version | 2.3 |
| Created | 14 August 2020 |
| Last Modified | 27 April 2024 |
Keylogging
Malware captures user keyboard input.
See ATT&CK: Input Capture: Keylogging (T1056.001, T1417.001)
Methods
| Name | ID | Description |
|---|---|---|
| Application Hook | F0002.001 | Keystrokes are captured with an application hook. |
| Polling | F0002.002 | Keystrokes are captured via polling (e.g., user32.GetAsyncKeyState, user32.GetKeyState). |
Use in Malware
| Name | Date | Method | Description |
|---|---|---|---|
| Hupigon | 2013 | -- | Certain variants of the malware may have keylogging functionality. [1] |
| Hupigon | 2013 | F0002.002 | Malware logs keystrokes via polling. [9] |
| UP007 | 2016 | -- | The malware logs keystrokes to a file. [2] |
| BlackEnergy | 2007 | -- | BlackEnergy's keylogger plugin allows for the collection of keystrokes. [3] |
| DarkComet | 2008 | -- | DarkComet can capture keystrokes. [4] |
| Dark Comet | 2008 | F0002.002 | Malware logs keystrokes via polling. [9] |
| Poison Ivy | 2005 | -- | Poison Ivy can capture keystrokes. [5] |
| CHOPSTICK | 2015 | -- | CHOPSTICK collects user keystrokes. [6] |
| Kovter | 2016 | F0002.002 | Malware logs keystrokes via polling. [9] |
| Redhip | 2011 | F0002.001 | Malware logs keystrokes via application hook. [9] |
| Redhip | 2011 | F0002.002 | Malware logs keystrokes via polling. [9] |
| Rombertik | 2015 | F0002.002 | Malware logs keystrokes via polling. [9] |
| Ursnif | 2016 | F0002.002 | Malware logs keystrokes via polling. [9] |
| Snake | 2004 | F0002.001 | Malware logs keystrokes via application hook. [10] |
Detection
| Tool: capa | Mapping | APIs |
|---|---|---|
| log keystrokes via polling | Keylogging::Polling (F0002.002) | user32.GetAsyncKeyState, user32.GetKeyState, user32.GetKeyboardState, user32.VkKeyScan, user32.VkKeyScanEx, user32.GetKeyNameText |
| log keystrokes via application hook | Keylogging::Application Hook (F0002.001) | -- |
| Tool: CAPE | Mapping | APIs |
|---|---|---|
| infostealer_keylog | Keylogging (F0002) | SetWindowsHookExA, GetAsyncKeyState, SetWindowsHookExW |
| infostealer_keylog | Keylogging::Application Hook (F0002.001) | SetWindowsHookExA, GetAsyncKeyState, SetWindowsHookExW |
| browser_scanbox | Keylogging (F0002) | JsEval, COleScript_ParseScriptText, COleScript_Compile |
F0002.002 Snippet
Collection::Keylogging::Polling
SHA256: 000b535ab2a4fec86e2d8254f8ed65c6ebd37309ed68692c929f8f93a99233f6Location: 0x438af1
push 0x11 ; provide argument for function call. In this case, 0x11 is the Windows keyboard code for indicating the 'CTRL' key call USER32.DLL::GetKeyState ; call function to get the state of the control key test ax, 0x8000 ; test to see what the previous function returned. In this case, we are seeing if the return value's high-order bit is a 1, which would mean the ctrl key is pressed setnz al ; if the previous condition is not met (the zero flag is 1), a 1 is stored in byte al
References
[1] https://www.f-secure.com/v-descs/backdoor_w32_hupigon.shtml
[2] https://citizenlab.ca/2016/04/between-hong-kong-and-burma/
[3] https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/
[4] https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/
[5] https://www.cyber.nj.gov/threat-center/threat-profiles/trojan-variants/poison-ivy
[6] https://web.archive.org/web/20210307034415/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf
[7] capa v4.0, analyzed at MITRE on 10/12/2022
[8] https://www.mandiant.com/sites/default/files/2021-09/rpt-poison-ivy.pdf
[9] capa v4.0, analyzed at MITRE on 10/12/2022
[10] https://www.cybereason.com/blog/research/threat-analysis-report-snake-infostealer-malware