log keystrokes via polling

edit on GitHub
search on VirusTotal

rule:
  meta:
    name: log keystrokes via polling
    namespace: collection/keylog
    authors:
      - michael.hunhoff@mandiant.com
    scopes:
      static: function
      dynamic: call
    att&ck:
      - Collection::Input Capture::Keylogging [T1056.001]
    mbc:
      - Collection::Keylogging::Polling [F0002.002]
    examples:
      - Practical Malware Analysis Lab 11-03.dll_:0x10001030
  features:
    - or:
      - api: user32.GetAsyncKeyState
      - api: user32.GetKeyState
      - api: user32.GetKeyboardState
      - api: user32.VkKeyScan
      - api: user32.VkKeyScanEx
      - api: user32.GetKeyNameText

last edited: 2023-11-24 10:34:28