Skip to content
Branch: master
Find file Copy path
Find file Copy path
CircleCI Atomic Red Team doc generator Generate docs from job=validate_atomics_generate_docs branch=master 6965fc1 Nov 15, 2018
0 contributors

Users who have contributed to this file

36 lines (23 sloc) 2.24 KB

T1056 - Input Capture

Description from ATT&CK

Adversaries can use methods of capturing user input for obtaining credentials for [Valid Accounts]( and information Collection that include keylogging and user input field interception.

Keylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes, (Citation: Adventures of a Keystroke) but other methods exist to target information for specific purposes, such as performing a UAC prompt or wrapping the Windows default credential provider. (Citation: Wrightson 2012)

Keylogging is likely to be used to acquire credentials for new access opportunities when Credential Dumping efforts are not effective, and may require an adversary to remain passive on a system for a period of time before an opportunity arises.

Adversaries may also install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. This variation on input capture may be conducted post-compromise using legitimate administrative access as a backup measure to maintain network access through External Remote Services and Valid Accounts or as part of the initial compromise by exploitation of the externally facing web service. (Citation: Volexity Virtual Private Keylogging)

Atomic Tests

Atomic Test #1 - Input Capture

Utilize PowerShell and external resource to capture keystrokes Payload Provided by PowerSploit

Supported Platforms: Windows


Name Description Type Default Value
filepath Name of the local file, include path. Path c:\key.log

Run it with powershell!

.\Get-Keystrokes.ps1 -LogPath #{filepath}

You can’t perform that action at this time.