Description
Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when OS Credential Dumping efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured. In order to increase the likelihood of capturing credentials quickly, an adversary may also perform actions such as clearing browser cookies to force users to reauthenticate to systems.(Citation: Talos Kimsuky Nov 2021)
Keylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes.(Citation: Adventures of a Keystroke) Some methods include:
Hooking API callbacks used for processing keystrokes. Unlike Credential API Hooking, this focuses solely on API functions intended for processing keystroke data. Reading raw keystroke data from the hardware buffer. Windows Registry modifications. Custom drivers. * Modify System Image may provide adversaries with hooks into the operating system of network devices to read raw keystrokes for login sessions.(Citation: Cisco Blog Legacy Device Attacks)
Platforms
Threat Groups (26)
| ID | Group | Context |
|---|---|---|
| G0059 | Magic Hound | [Magic Hound](https://attack.mitre.org/groups/G0059) malware is capable of keylogging.(Citation: Unit 42 Magic Hound Feb 2017) |
| G0087 | APT39 | [APT39](https://attack.mitre.org/groups/G0087) has used tools for capturing keystrokes.(Citation: Symantec Chafer February 2018)(Citation: FBI FLASH A... |
| G0082 | APT38 | [APT38](https://attack.mitre.org/groups/G0082) used a Trojan called KEYLIME to capture keystrokes from the victim’s machine.(Citation: FireEye APT38 O... |
| G1017 | Volt Typhoon | [Volt Typhoon](https://attack.mitre.org/groups/G1017) has created and accessed a file named rult3uil.log on compromised domain controllers to capture ... |
| G0130 | Ajax Security Team | [Ajax Security Team](https://attack.mitre.org/groups/G0130) has used CWoolger and MPK, custom-developed malware, which recorded all keystrokes on an i... |
| G0007 | APT28 | [APT28](https://attack.mitre.org/groups/G0007) has used tools to perform keylogging.(Citation: Microsoft SIR Vol 19)(Citation: DOJ GRU Indictment Jul ... |
| G0012 | Darkhotel | [Darkhotel](https://attack.mitre.org/groups/G0012) has used a keylogger.(Citation: Kaspersky Darkhotel) |
| G0045 | menuPass | [menuPass](https://attack.mitre.org/groups/G0045) has used key loggers to steal usernames and passwords.(Citation: District Court of NY APT10 Indictme... |
| G1023 | APT5 | [APT5](https://attack.mitre.org/groups/G1023) has used malware with keylogging capabilities to monitor the communications of targeted entities.(Citati... |
| G0131 | Tonto Team | [Tonto Team](https://attack.mitre.org/groups/G0131) has used keylogging tools in their operations.(Citation: TrendMicro Tonto Team October 2020) |
| G0027 | Threat Group-3390 | [Threat Group-3390](https://attack.mitre.org/groups/G0027) actors installed a credential logger on Microsoft Exchange servers. [Threat Group-3390](htt... |
| G0032 | Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) malware KiloAlfa contains keylogging functionality.(Citation: Novetta Blockbuster)(Citation: No... |
| G0043 | Group5 | Malware used by [Group5](https://attack.mitre.org/groups/G0043) is capable of capturing keystrokes.(Citation: Citizen Lab Group5) |
| G0068 | PLATINUM | [PLATINUM](https://attack.mitre.org/groups/G0068) has used several different keyloggers.(Citation: Microsoft PLATINUM April 2016) |
| G0085 | FIN4 | [FIN4](https://attack.mitre.org/groups/G0085) has captured credentials via fake Outlook Web App (OWA) login pages and has also used a .NET based keylo... |
| G0034 | Sandworm Team | [Sandworm Team](https://attack.mitre.org/groups/G0034) has used a keylogger to capture keystrokes by using the SetWindowsHookEx function.(Citation: ES... |
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has used a PowerShell-based keylogger as well as a tool called MECHANICAL to log keystrokes.(Citation... |
| G0049 | OilRig | [OilRig](https://attack.mitre.org/groups/G0049) has employed keyloggers including KEYPUNCH and LONGWATCH.(Citation: FireEye APT34 Webinar Dec 2017)(Ci... |
| G1044 | APT42 | [APT42](https://attack.mitre.org/groups/G1044) has used custom malware to log keystrokes.(Citation: Mandiant APT42-charms) |
| G0054 | Sowbug | [Sowbug](https://attack.mitre.org/groups/G0054) has used keylogging tools.(Citation: Symantec Sowbug Nov 2017) |
Associated Software (126)
| ID | Name | Type | Context |
|---|---|---|---|
| S0021 | Derusbi | Malware | [Derusbi](https://attack.mitre.org/software/S0021) is capable of logging keystrokes.(Citation: FireEye Periscope March 2018) |
| S1012 | PowerLess | Malware | [PowerLess](https://attack.mitre.org/software/S1012) can use a module to log keystrokes.(Citation: Cybereason PowerLess February 2022) |
| S0643 | Peppy | Malware | [Peppy](https://attack.mitre.org/software/S0643) can log keystrokes on compromised hosts.(Citation: Proofpoint Operation Transparent Tribe March 2016) |
| S0670 | WarzoneRAT | Malware | [WarzoneRAT](https://attack.mitre.org/software/S0670) has the capability to install a live and offline keylogger, including through the use of the `Ge... |
| S0038 | Duqu | Malware | [Duqu](https://attack.mitre.org/software/S0038) can track key presses with a keylogger module.(Citation: Symantec W32.Duqu) |
| S0283 | jRAT | Malware | [jRAT](https://attack.mitre.org/software/S0283) has the capability to log keystrokes from the victim’s machine, both offline and online.(Citation: jRA... |
| S0455 | Metamorfo | Malware | [Metamorfo](https://attack.mitre.org/software/S0455) has a command to launch a keylogger and capture keystrokes on the victim’s machine.(Citation: For... |
| S0045 | ADVSTORESHELL | Malware | [ADVSTORESHELL](https://attack.mitre.org/software/S0045) can perform keylogging.(Citation: ESET Sednit Part 2)(Citation: Bitdefender APT28 Dec 2015) |
| S1146 | MgBot | Malware | [MgBot](https://attack.mitre.org/software/S1146) includes keylogger payloads focused on the QQ chat application.(Citation: ESET EvasivePanda 2023)(Cit... |
| S0149 | MoonWind | Malware | [MoonWind](https://attack.mitre.org/software/S0149) has a keylogger.(Citation: Palo Alto MoonWind March 2017) |
| S0152 | EvilGrab | Malware | [EvilGrab](https://attack.mitre.org/software/S0152) has the capability to capture keystrokes.(Citation: PWC Cloud Hopper Technical Annex April 2017) |
| S0161 | XAgentOSX | Malware | [XAgentOSX](https://attack.mitre.org/software/S0161) contains keylogging functionality that will monitor for active application windows and write them... |
| S0363 | Empire | Tool | [Empire](https://attack.mitre.org/software/S0363) includes keylogging capabilities for Windows, Linux, and macOS systems.(Citation: Github PowerShell ... |
| S0339 | Micropsia | Malware | [Micropsia](https://attack.mitre.org/software/S0339) has keylogging capabilities.(Citation: Radware Micropsia July 2018) |
| S0113 | Prikormka | Malware | [Prikormka](https://attack.mitre.org/software/S0113) contains a keylogger module that collects keystrokes and the titles of foreground windows.(Citati... |
| S0410 | Fysbis | Malware | [Fysbis](https://attack.mitre.org/software/S0410) can perform keylogging.(Citation: Fysbis Palo Alto Analysis) |
| S0194 | PowerSploit | Tool | [PowerSploit](https://attack.mitre.org/software/S0194)'s <code>Get-Keystrokes</code> Exfiltration module can log keystrokes.(Citation: GitHub PowerSpl... |
| S0379 | Revenge RAT | Malware | [Revenge RAT](https://attack.mitre.org/software/S0379) has a plugin for keylogging.(Citation: Cylance Shaheen Nov 2018)(Citation: Cofense RevengeRAT F... |
| S0167 | Matryoshka | Malware | [Matryoshka](https://attack.mitre.org/software/S0167) is capable of keylogging.(Citation: ClearSky Wilted Tulip July 2017)(Citation: CopyKittens Nov 2... |
| S0381 | FlawedAmmyy | Malware | [FlawedAmmyy](https://attack.mitre.org/software/S0381) can collect keyboard events.(Citation: Korean FSI TA505 2020) |
References
- An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.
- Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.
- Tinaztepe, E. (n.d.). The Adventures of a Keystroke: An in-depth look into keyloggers on Windows. Retrieved April 27, 2016.
Frequently Asked Questions
What is T1056.001 (Keylogging)?
T1056.001 is a MITRE ATT&CK technique named 'Keylogging'. It belongs to the Collection, Credential Access tactic(s). Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when [OS Credential Dumping](ht...
How can T1056.001 be detected?
Detection of T1056.001 (Keylogging) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1056.001?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1056.001?
Known threat groups using T1056.001 include: Magic Hound, APT39, APT38, Volt Typhoon, Ajax Security Team, APT28, Darkhotel, menuPass.