Description
Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture).
Platforms
Sub-Techniques (4)
Keylogging
T1056.002GUI Input Capture
T1056.003Web Portal Capture
T1056.004Credential API Hooking
Threat Groups (3)
| ID | Group | Context |
|---|---|---|
| G1044 | APT42 | [APT42](https://attack.mitre.org/groups/G1044) has used credential harvesting websites.(Citation: Mandiant APT42-untangling) |
| G1046 | Storm-1811 | [Storm-1811](https://attack.mitre.org/groups/G1046) has used a PowerShell script to capture user credentials after prompting a user to authenticate to... |
| G0087 | APT39 | [APT39](https://attack.mitre.org/groups/G0087) has utilized tools to capture mouse movements.(Citation: FBI FLASH APT39 September 2020) |
Associated Software (7)
| ID | Name | Type | Context |
|---|---|---|---|
| S1245 | InvisibleFerret | Malware | [InvisibleFerret](https://attack.mitre.org/software/S1245) has collected mouse and keyboard events using “pyWinhook”.(Citation: PaloAlto ContagiousInt... |
| S1059 | metaMain | Malware | [metaMain](https://attack.mitre.org/software/S1059) can log mouse events.(Citation: SentinelLabs Metador Technical Appendix Sept 2022) |
| S1060 | Mafalda | Malware | [Mafalda](https://attack.mitre.org/software/S1060) can conduct mouse event logging.(Citation: SentinelLabs Metador Technical Appendix Sept 2022) |
| S0631 | Chaes | Malware | [Chaes](https://attack.mitre.org/software/S0631) has a module to perform any API hooking it desires.(Citation: Cybereason Chaes Nov 2020) |
| S0381 | FlawedAmmyy | Malware | [FlawedAmmyy](https://attack.mitre.org/software/S0381) can collect mouse events.(Citation: Korean FSI TA505 2020) |
| S0641 | Kobalos | Malware | [Kobalos](https://attack.mitre.org/software/S0641) has used a compromised SSH client to capture the hostname, port, username and password used to esta... |
| S1131 | NPPSPY | Tool | [NPPSPY](https://attack.mitre.org/software/S1131) captures user input into the Winlogon process by redirecting RPC traffic from legitimate listening D... |
References
Frequently Asked Questions
What is T1056 (Input Capture)?
T1056 is a MITRE ATT&CK technique named 'Input Capture'. It belongs to the Collection, Credential Access tactic(s). Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as lo...
How can T1056 be detected?
Detection of T1056 (Input Capture) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1056?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1056?
Known threat groups using T1056 include: APT42, Storm-1811, APT39.