log keystrokes via direct input

edit on GitHub
search on VirusTotal

rule:
  meta:
    name: log keystrokes via direct input
    namespace: collection/keylog
    authors:
      - zeze-zeze
    scopes:
      static: function
      dynamic: call
    att&ck:
      - Collection::Input Capture::Keylogging [T1056.001]
    examples:
      - 0db010298586f17ee7e46f390d5724be.exe_
  features:
    - or:
      - api: dinput8.DirectInput8Create
      - api: dinput.DirectInputCreateEx
      - api: dinput.DirectInputCreateW
      - api: dinput.DirectInputCreateA

last edited: 2025-10-28 13:12:07