# T1056 Input Capture

-----------------------------------------------------------------------

## Technique Description

Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004)) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. [Web Portal Capture](https://attack.mitre.org/techniques/T1056/003)).

## Technique Detection

Detection may vary depending on how input is captured but may include monitoring for certain Windows API calls (e.g. `SetWindowsHook`, `GetKeyState`, and `GetAsyncKeyState`)(Citation: Adventures of a Keystroke), monitoring for malicious instances of [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), and ensuring no unauthorized drivers or kernel modules that could indicate keylogging or API hooking are present.

-----------------------------------------------------------------------

### Tactics:

  * Collection

  * Credential-Access

### Platforms:

  * Linux

  * macOS

  * Windows

  * Network

### Adversary Required Permissions:

  * Administrator

  * SYSTEM

  * root

  * User

### Data Sources:

  * **Process:** Process Metadata

  * **Process:** Process Creation

  * **File:** File Modification

  * **Windows Registry:** Windows Registry Key Modification

  * **Process:** OS API Execution

  * **Driver:** Driver Load

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| APT39 | [APT39](https://attack.mitre.org/groups/G0087) has utilized tools to capture mouse movements.(Citation: FBI FLASH APT39 September 2020)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1056)

  * [Capec](https://capec.mitre.org/data/definitions/569.html)

  * [Adventures Of A Keystroke](http://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdf), Tinaztepe,  E. (n.d.). The Adventures of a Keystroke:  An in-depth look into keyloggers on Windows. Retrieved April 27, 2016.

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 8 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Adversaries will use tools to capture input, most notably, from keystrokes.

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| Example APT/Threat actor | 1, 2 | 2, 3, 5|

#### APT28	
- Has used tools to perform keylogging
    - Zebrocy (a trojan that has been used by APT28) installs an application-defined Windows hook to get notified when a network drive has been attached, so it can then use the hook to call its RecordToFile file stealing method. 	
    - ADVSTORESHELL (a spying backdoor that has been used by APT28) can perform keylogging	
    - CHOPSTICK (a malware family of modular backdoors used by APT28) is capable of performing keylogging.

## Detection Blindspots

- API calls may not be identified in host logs.

## Analytical References

  * [Atomic Red Team - T1056.001 (github)](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md)
  * [Atomic Red Team - T1056.002 (github)](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md)
  * [Atomic Red Team - T1056.004 (github)](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md)
  * [Sofacy Activity 2017 (securelist)](https://securelist.com/a-slice-of-2017-sofacy-activity/83930/)
  * [APT28 Espionage - Military, Government (security.com)](https://symantec-enterprise-blogs.security.com/blogs/election-security/apt28-espionage-military-government)

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Keylogging detection may be identified with various API calls and hooks. From a host perspective, out adversaries will likely use crafted tools to perform this action.
- Monitor the Registry and file system for such changes, monitor driver installs, and look for common keylogging API calls. API calls alone are not an indicator of keylogging, but may provide behavioral data that is useful when combined with other information such as new files written to disk and unusual processes.
- Monitoring for malicious instances of Command and Scripting Interpreter (T1059), and ensuring no unauthorized drivers or kernel modules that could indicate keylogging or API hooking are present.

#### Analytic 1

  * **Information:** Keyloggers may take many forms, possibly involving modification to the Registry and installation of a driver, setting a hook, or polling to intercept keystrokes. Commonly used API calls should be examined.

  * **Source:** Sysmon, Windows Audits

  * **Tool:** Kibana

  * **Notes:** event codes:
    - 4657 : registry value was modified

    - 12 : Registry Event (Object create and delete)

    - 13 : RegistryEvent (Value set)

    - 14 : RegistryEvent (Key and Value Rename)
    
    - 1 or 4688: Process Creation
    
    - 5379 : Credential Manger credentials were read
    
    - 11 : File Creation
    

  * **Query:** ```API call : SetWindowsHookEx or SetWinEventHook or GetKeyState or GetAsyncKeyState```

  * **Query:** ```event.code : 4657 or 12 or 13 or 14```

-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Information Here

#### Analytic 1

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```

#### Analytic 2

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```

