Keylogging · SynAc

Senses

Keylogging

Senses

Sense 1

Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when OS Credential Dumping efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured. In order to increase the likelihood of capturing credentials quickly, an adversary may also perform actions such as clearing browser cookies to force users to reauthenticate to systems.(Citation: Talos Kimsuky Nov 2021) Keylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes.(Citation: Adventures of a Keystroke) Some methods include: Hooking API callbacks used for processing keystrokes. Unlike Credential API Hooking, this focuses solely on API functions intended for processing keystroke data. Reading raw keystroke data from the hardware buffer. Windows Registry modifications. Custom drivers. Modify System Image may provide adversaries with hooks into the operating system of network devices to read raw keystrokes for login sessions.(Citation: Cisco Blog Legacy Device Attacks)

Keylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes.(Citation: Adventures of a Keystroke) Some methods include:

Hooking API callbacks used for processing keystrokes. Unlike Credential API Hooking, this focuses solely on API functions intended for processing keystroke data.
Reading raw keystroke data from the hardware buffer.
Windows Registry modifications.
Custom drivers.
Modify System Image may provide adversaries with hooks into the operating system of network devices to read raw keystrokes for login sessions.(Citation: Cisco Blog Legacy Device Attacks)

MITRE ATT&CK (CTI STIX Data)

Sense 2

Adversaries may log user keystrokes to intercept credentials or other information from the user as the user types them. Some methods of keylogging include: Masquerading as a legitimate third party keyboard to record user keystrokes.(Citation: Zeltser Keyboard) On both Android and iOS, users must explicitly authorize the use of third party keyboard apps. Users should be advised to use extreme caution before granting this authorization when it is requested. Abusing accessibility features. On Android, adversaries may abuse accessibility features to record keystrokes by registering an class, overriding the method, and listening for the event type. The event object passed into the function will contain the data that the user typed. Additional methods of keylogging may be possible if root access is available.

Adversaries may log user keystrokes to intercept credentials or other information from the user as the user types them.

Some methods of keylogging include:

Masquerading as a legitimate third-party keyboard to record user keystrokes.(Citation: Zeltser-Keyboard) On both Android and iOS, users must explicitly authorize the use of third-party keyboard apps. Users should be advised to use extreme caution before granting this authorization when it is requested.
Abusing accessibility features. On Android, adversaries may abuse accessibility features to record keystrokes by registering an AccessibilityService class, overriding the onAccessibilityEvent method, and listening for the AccessibilityEvent.TYPE_VIEW_TEXT_CHANGED event type. The event object passed into the function will contain the data that the user typed. *Additional methods of keylogging may be possible if root access is available.

MITRE ATT&CK (Mobile, CTI STIX Data)