register raw input devices

edit on GitHub
search on VirusTotal

rule:
  meta:
    name: register raw input devices
    namespace: collection/keylog
    authors:
      - zeze-zeze
      - michael.hunhoff@mandiant.com
    scopes:
      static: basic block
      dynamic: call
    att&ck:
      - Collection::Input Capture::Keylogging [T1056.001]
    examples:
      - 52d8e95c9883cd16d7b44e3a7adc22d6.exe_
  features:
    - or:
      - api: user32.RegisterRawInputDevices

last edited: 2025-10-28 15:20:39