log keystrokes via application hook

edit on GitHub
search on VirusTotal

rule:
  meta:
    name: log keystrokes via application hook
    namespace: collection/keylog
    authors:
      - michael.hunhoff@mandiant.com
    scopes:
      static: basic block
      dynamic: call
    att&ck:
      - Collection::Input Capture::Keylogging [T1056.001]
    mbc:
      - Collection::Keylogging::Application Hook [F0002.001]
    examples:
      - Practical Malware Analysis Lab 12-03.exe_:0x401000
  features:
    - and:
      - match: set application hook
      - or:
        - number: 13 = WH_KEYBOARD_LL
        - number: 2  = WH_KEYBOARD

last edited: 2024-06-06 07:39:53