log keystrokes

rule:
  meta:
    name: log keystrokes
    namespace: collection/keylog
    authors:
      - moritz.raabe@mandiant.com
    scopes:
      static: function
      dynamic: thread
    att&ck:
      - Collection::Input Capture::Keylogging [T1056.001]
    examples:
      - C91887D861D9BD4A5872249B641BC9F9:0x4015FD
  features:
    - or:
      - and:
        - api: SetWindowsHookEx
        - api: GetKeyState
      - and:
        - api: RegisterHotKey
        - api: user32.keybd_event
        - api: UnregisterHotKey
      - and:
        - api: CallNextHookEx
        - api: user32.GetKeyNameText
        - api: user32.GetAsyncKeyState
        - api: user32.GetForgroundWindow
      - api: user32.AttachThreadInput
      - api: user32.MapVirtualKey