T1056

Input Capture

Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture). Common sub-techniques include keylogging via Windows hooks (SetWindowsHookEx), GUI input capture via credential dialog spoofing, web portal capture via fake login pages, and credential API hooking via DLL injection into authentication processes. Threat actors including APT42, Storm-1811, and APT39 have leveraged these techniques, as have malware families such as InvisibleFerret, Chaes, Kobalos, and NPPSPY.

Microsoft Sentinel / Defender

kusto

// T1056 Input Capture — Multi-Signal Detection
// Covers: Network Provider DLL registration (NPPSPY), suspicious DLL loads into credential processes,
// input hook API usage, and clipboard/keyboard monitoring process activity
let SuspiciousInputAPIs = dynamic([
  "SetWindowsHookEx", "GetAsyncKeyState", "GetKeyState", "GetRawInputData",
  "pyWinhook", "pynput", "keyboard.hook", "InputCapture",
  "WH_KEYBOARD", "WH_KEYBOARD_LL", "WH_MOUSE_LL"
]);
let CredentialProcesses = dynamic(["winlogon.exe", "lsass.exe", "LogonUI.exe", "consent.exe", "credui.exe"]);
// Signal 1: Suspicious network provider DLL registration (NPPSPY technique)
let NetworkProviderReg = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| where RegistryKey has @"SYSTEM\CurrentControlSet\Control\NetworkProvider\Order"
    or (RegistryKey has @"SYSTEM\CurrentControlSet\Services" and RegistryKey endswith @"\NetworkProvider")
| where InitiatingProcessFileName !in~ ("services.exe", "svchost.exe", "msiexec.exe", "TrustedInstaller.exe")
| extend SignalType = "NetworkProviderRegistration"
| project Timestamp, DeviceName, AccountName, SignalType,
    RegistryKey, RegistryValueName, RegistryValueData,
    InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessFolderPath;
// Signal 2: Suspicious DLL loaded into credential/authentication processes
let HookDLLLoad = DeviceImageLoadEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ (CredentialProcesses)
| where FolderPath !startswith @"C:\Windows\System32\\"
    and FolderPath !startswith @"C:\Windows\SysWOW64\\"
    and FolderPath !startswith @"C:\Program Files\\"
    and FolderPath !startswith @"C:\Program Files (x86)\\"
| where FileName endswith ".dll"
| extend SignalType = "SuspiciousDLLInCredentialProcess"
| project Timestamp, DeviceName, AccountName=InitiatingProcessAccountName, SignalType,
    FileName, FolderPath, SHA256,
    InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessFolderPath;
// Signal 3: Process creation with input capture indicators
let InputCaptureProcess = DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (SuspiciousInputAPIs)
    or (FileName has_any ("keylog", "keyscan", "hookdll", "inputcap", "credcap"))
    or (FolderPath !startswith @"C:\Windows\" and FolderPath !startswith @"C:\Program Files"
        and (ProcessCommandLine has "GetClipboard" or ProcessCommandLine has "Get-Clipboard")
        and ProcessCommandLine has_any ("while", "loop", "sleep", "timer", "interval"))
| extend SignalType = "InputCaptureAPIOrTool"
| project Timestamp, DeviceName, AccountName, SignalType,
    FileName, FolderPath, ProcessCommandLine,
    InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessFolderPath;
// Signal 4: Process injection into Winlogon or credential UI (common for hooking)
let WinlogonInjection = DeviceEvents
| where Timestamp > ago(24h)
| where ActionType == "CreateRemoteThreadApiCall" or ActionType == "ProcessInjection"
| where AdditionalFields has_any ("winlogon.exe", "LogonUI.exe", "credui.exe", "consent.exe")
| extend SignalType = "InjectionIntoCredentialProcess"
| project Timestamp, DeviceName, AccountName, SignalType,
    FileName, ProcessCommandLine=AdditionalFields,
    InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessFolderPath;
// Union all signals
union isfuzzy=true NetworkProviderReg, HookDLLLoad, InputCaptureProcess, WinlogonInjection
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Process: OS API Execution Windows Registry: Windows Registry Key Modification Module: Module Load Process: Process Access Microsoft Defender for Endpoint

Required Tables

DeviceRegistryEvents DeviceImageLoadEvents DeviceProcessEvents DeviceEvents

False Positives

Legitimate accessibility software (screen readers, on-screen keyboards, Dragon NaturallySpeaking) that register low-level keyboard hooks via SetWindowsHookEx
Enterprise security products (DLP agents, PAM tools like CyberArk) that monitor credential entry as a security control — these load DLLs into credential processes
Password managers (1Password, Bitwarden, KeePass) that hook input fields for autofill functionality
Keyboard remapping utilities (AutoHotkey, SharpKeys, Microsoft PowerToys) that legitimately intercept and redirect keystrokes
Remote desktop and KVM software (TeamViewer, AnyDesk, VNC) that capture keyboard/mouse input for remote transmission
Custom enterprise single-sign-on (SSO) credential providers legitimately registered as network providers in HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order

Splunk

spl

| union
[
  search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=13
    (TargetObject="*\\SYSTEM\\CurrentControlSet\\Control\\NetworkProvider\\Order*"
     OR TargetObject="*\\SYSTEM\\CurrentControlSet\\Services\\*\\NetworkProvider*")
    NOT (Image="*\\services.exe" OR Image="*\\svchost.exe" OR Image="*\\msiexec.exe" OR Image="*\\TrustedInstaller.exe")
  | eval SignalType="NetworkProviderRegistration"
  | eval Details=coalesce(Details, RegistryDetails)
  | table _time, host, User, Image, TargetObject, Details, SignalType
],
[
  search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=7
    (Image="*\\winlogon.exe" OR Image="*\\lsass.exe" OR Image="*\\LogonUI.exe"
     OR Image="*\\consent.exe" OR Image="*\\credui.exe")
    NOT (ImageLoaded="C:\\Windows\\System32\\*" OR ImageLoaded="C:\\Windows\\SysWOW64\\*"
         OR ImageLoaded="C:\\Program Files\\*" OR ImageLoaded="C:\\Program Files (x86)\\*")
  | eval SignalType="SuspiciousDLLInCredentialProcess"
  | table _time, host, User, Image, ImageLoaded, Hashes, SignalType
],
[
  search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    (CommandLine="*SetWindowsHookEx*" OR CommandLine="*GetAsyncKeyState*" OR CommandLine="*GetKeyState*"
     OR CommandLine="*pyWinhook*" OR CommandLine="*WH_KEYBOARD_LL*" OR CommandLine="*WH_MOUSE_LL*"
     OR CommandLine="*pynput*" OR CommandLine="*Get-Clipboard*"
     OR Image="*keylog*" OR Image="*keycap*" OR Image="*inputcap*")
  | eval SignalType="InputCaptureAPIOrTool"
  | table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, SignalType
],
[
  search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=8
    (TargetImage="*\\winlogon.exe" OR TargetImage="*\\LogonUI.exe"
     OR TargetImage="*\\credui.exe" OR TargetImage="*\\consent.exe")
  | eval SignalType="RemoteThreadInCredentialProcess"
  | table _time, host, SourceImage, SourceCommandLine, TargetImage, StartFunction, SignalType
]
| eval SeverityScore=case(
    SignalType="NetworkProviderRegistration", 90,
    SignalType="RemoteThreadInCredentialProcess", 95,
    SignalType="SuspiciousDLLInCredentialProcess", 85,
    SignalType="InputCaptureAPIOrTool", 70,
    true(), 50)
| sort - SeverityScore, - _time

high severity medium confidence

Data Sources

Windows Registry: Windows Registry Key Modification Module: Module Load Process: Process Creation Process: Process Access Sysmon Event ID 13 (Registry Value Set) Sysmon Event ID 7 (Image Load) Sysmon Event ID 1 (Process Create) Sysmon Event ID 8 (CreateRemoteThread)

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate accessibility software (screen readers, Dragon NaturallySpeaking) using SetWindowsHookEx for input monitoring
Enterprise DLP or PAM agents (CyberArk, BeyondTrust) that load credential provider DLLs into Winlogon
Third-party credential providers or SSO agents registered in NetworkProvider\Order during software installation
Password managers with autofill functionality hooking input events in browser or application windows
Remote administration tools (TeamViewer, AnyDesk) that capture keyboard/mouse for remote sessions

Elastic Security (EQL)

eql

sequence by host.name with maxspan=1h
  [registry where registry.path : ("*\\SYSTEM\\CurrentControlSet\\Control\\NetworkProvider\\Order*", "*\\SYSTEM\\CurrentControlSet\\Services\\*\\NetworkProvider*") and not process.name : ("services.exe", "svchost.exe", "msiexec.exe", "TrustedInstaller.exe")]
  [library where process.name : ("winlogon.exe", "lsass.exe", "LogonUI.exe", "consent.exe", "credui.exe") and not dll.path : ("C:\\Windows\\System32\\*", "C:\\Windows\\SysWOW64\\*", "C:\\Program Files\\*", "C:\\Program Files (x86)\\*")]
---
/* Alternative: individual signal queries */
/* Signal 1: Network Provider DLL registration */
registry where registry.path : ("*\\SYSTEM\\CurrentControlSet\\Control\\NetworkProvider\\Order*", "*\\SYSTEM\\CurrentControlSet\\Services\\*\\NetworkProvider*") and not process.name : ("services.exe", "svchost.exe", "msiexec.exe", "TrustedInstaller.exe")
---
/* Signal 2: Suspicious DLL in credential process */
library where process.name : ("winlogon.exe", "lsass.exe", "LogonUI.exe", "consent.exe", "credui.exe") and not dll.path : ("C:\\Windows\\System32\\*", "C:\\Windows\\SysWOW64\\*", "C:\\Program Files\\*", "C:\\Program Files (x86)\\*")
---
/* Signal 3: Input capture API process creation */
process where process.command_line : ("*SetWindowsHookEx*", "*GetAsyncKeyState*", "*GetKeyState*", "*WH_KEYBOARD_LL*", "*WH_MOUSE_LL*", "*pyWinhook*", "*pynput*", "*Get-Clipboard*") or process.name : ("*keylog*", "*keyscan*", "*hookdll*", "*inputcap*")
---
/* Signal 4: Remote thread into credential process */
process where event.action == "CreateRemoteThread" and process.name : ("winlogon.exe", "LogonUI.exe", "credui.exe", "consent.exe")

high severity high confidence

Data Sources

Elastic Endpoint Security Windows Sysmon via Elastic Agent Elastic Security

Required Tables

logs-endpoint.events.registry-* logs-endpoint.events.library-* logs-endpoint.events.process-* logs-endpoint.events.api-* logs-windows.sysmon_operational-*

False Positives

Security software (EDR agents, AV engines) legitimately hooks keyboard/mouse APIs for behavior monitoring
Third-party credential managers or password vaults may load DLLs into winlogon or credui processes
Network authentication middleware (Cisco NAM, Juniper UAC) registers legitimate Network Provider DLLs during installation
Accessibility software such as screen readers (JAWS, NVDA) use SetWindowsHookEx for legitimate input monitoring
Enterprise MFA solutions like Duo or RSA SecurID hook credential processes for authentication flow

IBM QRadar (AQL)

sql

/* Signal 1: Network Provider Registry Key Modification (Sysmon EID 13) */
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  logsourcename(logsourceid) AS LogSource,
  "username" AS User,
  "TargetObject" AS RegistryKey,
  "Details" AS RegistryValue,
  "Image" AS InitiatingProcess,
  'NetworkProviderRegistration' AS SignalType,
  90 AS SeverityScore
FROM events
WHERE LOGSOURCETYPENAME(devicetype) = 'Microsoft Windows Security Event Log'
  AND qid = (SELECT qid FROM qidmap WHERE qidname = 'Sysmon - Registry value set' LIMIT 1)
  AND ("TargetObject" ILIKE '%\\SYSTEM\\CurrentControlSet\\Control\\NetworkProvider\\Order%'
       OR "TargetObject" ILIKE '%\\SYSTEM\\CurrentControlSet\\Services\\%\\NetworkProvider%')
  AND "Image" NOT ILIKE '%\\services.exe'
  AND "Image" NOT ILIKE '%\\svchost.exe'
  AND "Image" NOT ILIKE '%\\msiexec.exe'
  AND "Image" NOT ILIKE '%\\TrustedInstaller.exe'
  AND starttime > NOW() - 86400000

UNION ALL

/* Signal 2: Suspicious DLL Loaded into Credential Process (Sysmon EID 7) */
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  logsourcename(logsourceid) AS LogSource,
  "username" AS User,
  "ImageLoaded" AS RegistryKey,
  "Hashes" AS RegistryValue,
  "Image" AS InitiatingProcess,
  'SuspiciousDLLInCredentialProcess' AS SignalType,
  85 AS SeverityScore
FROM events
WHERE LOGSOURCETYPENAME(devicetype) = 'Microsoft Windows Security Event Log'
  AND eventid = 7
  AND ("Image" ILIKE '%\\winlogon.exe' OR "Image" ILIKE '%\\lsass.exe'
       OR "Image" ILIKE '%\\LogonUI.exe' OR "Image" ILIKE '%\\consent.exe'
       OR "Image" ILIKE '%\\credui.exe')
  AND "ImageLoaded" NOT ILIKE 'C:\\Windows\\System32\\%'
  AND "ImageLoaded" NOT ILIKE 'C:\\Windows\\SysWOW64\\%'
  AND "ImageLoaded" NOT ILIKE 'C:\\Program Files\\%'
  AND "ImageLoaded" NOT ILIKE 'C:\\Program Files (x86)\\%'
  AND starttime > NOW() - 86400000

UNION ALL

/* Signal 3: Input Capture API or Tool Invocation (Sysmon EID 1) */
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  logsourcename(logsourceid) AS LogSource,
  "username" AS User,
  "CommandLine" AS RegistryKey,
  "Image" AS RegistryValue,
  "ParentImage" AS InitiatingProcess,
  'InputCaptureAPIOrTool' AS SignalType,
  70 AS SeverityScore
FROM events
WHERE LOGSOURCETYPENAME(devicetype) = 'Microsoft Windows Security Event Log'
  AND eventid = 1
  AND ("CommandLine" ILIKE '%SetWindowsHookEx%' OR "CommandLine" ILIKE '%GetAsyncKeyState%'
       OR "CommandLine" ILIKE '%GetKeyState%' OR "CommandLine" ILIKE '%WH_KEYBOARD_LL%'
       OR "CommandLine" ILIKE '%WH_MOUSE_LL%' OR "CommandLine" ILIKE '%pyWinhook%'
       OR "CommandLine" ILIKE '%pynput%' OR "CommandLine" ILIKE '%Get-Clipboard%'
       OR "Image" ILIKE '%keylog%' OR "Image" ILIKE '%keyscan%'
       OR "Image" ILIKE '%inputcap%' OR "Image" ILIKE '%hookdll%')
  AND starttime > NOW() - 86400000

UNION ALL

/* Signal 4: Remote Thread into Credential Process (Sysmon EID 8) */
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  logsourcename(logsourceid) AS LogSource,
  "username" AS User,
  "TargetImage" AS RegistryKey,
  "StartFunction" AS RegistryValue,
  "SourceImage" AS InitiatingProcess,
  'RemoteThreadInCredentialProcess' AS SignalType,
  95 AS SeverityScore
FROM events
WHERE LOGSOURCETYPENAME(devicetype) = 'Microsoft Windows Security Event Log'
  AND eventid = 8
  AND ("TargetImage" ILIKE '%\\winlogon.exe' OR "TargetImage" ILIKE '%\\LogonUI.exe'
       OR "TargetImage" ILIKE '%\\credui.exe' OR "TargetImage" ILIKE '%\\consent.exe')
  AND starttime > NOW() - 86400000

ORDER BY SeverityScore DESC, EventTime DESC

high severity high confidence

Data Sources

IBM QRadar SIEM Windows Sysmon log source Microsoft Windows Security Event Log

Required Tables

events

False Positives

Enterprise security tools (CrowdStrike Falcon, Carbon Black, SentinelOne) create remote threads in system processes as part of their injection-based monitoring
Legitimate software deployment via SCCM or Intune may trigger registry modifications in NetworkProvider paths during network authentication component installation
Password manager extensions (LastPass, 1Password) may load helper DLLs into credential dialog processes on some Windows configurations
Windows updates and service pack installations modify NetworkProvider registry keys via services.exe and TrustedInstaller.exe (already excluded) but sibling processes may also trigger
IT monitoring tools using WMI or PowerShell remoting may invoke clipboard-related APIs in the context of automation scripts

Sumo Logic CSE

sql

/* T1056 Input Capture — Sumo Logic CSE Multi-Signal Detection */

/* Signal 1: Network Provider DLL Registration (Sysmon EID 13) */
_sourceCategory="windows/sysmon" EventCode=13
| where TargetObject matches "*\\SYSTEM\\CurrentControlSet\\Control\\NetworkProvider\\Order*"
  OR TargetObject matches "*\\SYSTEM\\CurrentControlSet\\Services\\*\\NetworkProvider*"
| where !(Image matches "*\\services.exe"
  OR Image matches "*\\svchost.exe"
  OR Image matches "*\\msiexec.exe"
  OR Image matches "*\\TrustedInstaller.exe")
| fields _messageTime, Computer, User, Image, TargetObject, Details
| withtime _messageTime
| eval SignalType="NetworkProviderRegistration", SeverityScore=90

/* Signal 2: Suspicious DLL Load into Credential Process (Sysmon EID 7) */
/* Run separately and union in dashboard */
_sourceCategory="windows/sysmon" EventCode=7
| where (Image matches "*\\winlogon.exe"
  OR Image matches "*\\lsass.exe"
  OR Image matches "*\\LogonUI.exe"
  OR Image matches "*\\consent.exe"
  OR Image matches "*\\credui.exe")
| where !(ImageLoaded matches "C:\\Windows\\System32\\*"
  OR ImageLoaded matches "C:\\Windows\\SysWOW64\\*"
  OR ImageLoaded matches "C:\\Program Files\\*"
  OR ImageLoaded matches "C:\\Program Files (x86)\\*")
| fields _messageTime, Computer, User, Image, ImageLoaded, Hashes
| eval SignalType="SuspiciousDLLInCredentialProcess", SeverityScore=85

/* Signal 3: Input Capture API or Tool in Process Commandline (Sysmon EID 1) */
_sourceCategory="windows/sysmon" EventCode=1
| where CommandLine matches "*SetWindowsHookEx*"
  OR CommandLine matches "*GetAsyncKeyState*"
  OR CommandLine matches "*GetKeyState*"
  OR CommandLine matches "*WH_KEYBOARD_LL*"
  OR CommandLine matches "*WH_MOUSE_LL*"
  OR CommandLine matches "*pyWinhook*"
  OR CommandLine matches "*pynput*"
  OR CommandLine matches "*Get-Clipboard*"
  OR Image matches "*keylog*"
  OR Image matches "*keyscan*"
  OR Image matches "*inputcap*"
  OR Image matches "*hookdll*"
| fields _messageTime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine
| eval SignalType="InputCaptureAPIOrTool", SeverityScore=70

/* Signal 4: Remote Thread into Credential Process (Sysmon EID 8) */
_sourceCategory="windows/sysmon" EventCode=8
| where TargetImage matches "*\\winlogon.exe"
  OR TargetImage matches "*\\LogonUI.exe"
  OR TargetImage matches "*\\credui.exe"
  OR TargetImage matches "*\\consent.exe"
| fields _messageTime, Computer, SourceImage, SourceCommandLine, TargetImage, StartFunction
| eval SignalType="RemoteThreadInCredentialProcess", SeverityScore=95

/* Aggregation query for dashboard panel — run after unioning signals in separate panels */
_sourceCategory="windows/sysmon" (EventCode=1 OR EventCode=7 OR EventCode=8 OR EventCode=13)
| parse "EventCode=*" as EventCode
| parse "Image=*" as Image nodrop
| parse "TargetObject=*" as TargetObject nodrop
| parse "TargetImage=*" as TargetImage nodrop
| parse "ImageLoaded=*" as ImageLoaded nodrop
| parse "CommandLine=*" as CommandLine nodrop
| where (EventCode="13" AND (TargetObject matches "*NetworkProvider*") AND !(Image matches "*services.exe" OR Image matches "*svchost.exe"))
  OR (EventCode="7" AND (Image matches "*winlogon.exe" OR Image matches "*lsass.exe" OR Image matches "*LogonUI.exe") AND !(ImageLoaded matches "C:\\Windows\\System32\\*"))
  OR (EventCode="1" AND (CommandLine matches "*SetWindowsHookEx*" OR CommandLine matches "*GetAsyncKeyState*" OR CommandLine matches "*WH_KEYBOARD_LL*" OR Image matches "*keylog*"))
  OR (EventCode="8" AND (TargetImage matches "*winlogon.exe" OR TargetImage matches "*LogonUI.exe" OR TargetImage matches "*credui.exe"))
| timeslice 1h
| count by _timeslice, EventCode, Computer
| sort by _count desc

high severity high confidence

Data Sources

Sumo Logic Cloud SIEM Windows Sysmon log source Sumo Logic Installed Collector on Windows endpoints

Required Tables

_sourceCategory=windows/sysmon

False Positives

Endpoint protection agents (Symantec, McAfee, Sophos) load monitoring DLLs into system processes including winlogon.exe as part of their protection hooks
Network authentication clients (GlobalProtect, Cisco AnyConnect) register Network Provider DLLs during VPN client installation or updates
Legitimate system administration PowerShell scripts using Get-Clipboard for clipboard monitoring in IT automation workflows
Windows Credential Provider SDK development — developers testing custom credential providers load experimental DLLs into LogonUI or winlogon during development
Smart card middleware and PKI clients register as Network Providers and load credential DLLs (ActivIdentity, Gemalto SafeNet)

Google Chronicle / SecOps

yaral

rule t1056_input_capture_network_provider_registration {
  meta:
    author = "df00tech"
    description = "Detects Network Provider DLL registration (NPPSPY technique) — T1056 Input Capture"
    mitre_attack_tactic = "Collection, Credential Access"
    mitre_attack_technique = "T1056"
    severity = "HIGH"
    priority = "HIGH"
  events:
    $reg.metadata.event_type = "REGISTRY_MODIFICATION"
    (
      re.regex($reg.target.registry.registry_key, `(?i).*SYSTEM\\CurrentControlSet\\Control\\NetworkProvider\\Order.*`)
      or re.regex($reg.target.registry.registry_key, `(?i).*SYSTEM\\CurrentControlSet\\Services\\.*\\NetworkProvider.*`)
    )
    not re.regex($reg.principal.process.file.full_path, `(?i).*(services\.exe|svchost\.exe|msiexec\.exe|TrustedInstaller\.exe)$`)
  condition:
    $reg
}

rule t1056_input_capture_suspicious_dll_in_credential_process {
  meta:
    author = "df00tech"
    description = "Detects suspicious non-system DLL loaded into credential/authentication processes — T1056 Input Capture"
    mitre_attack_tactic = "Collection, Credential Access"
    mitre_attack_technique = "T1056"
    severity = "HIGH"
    priority = "HIGH"
  events:
    $load.metadata.event_type = "PROCESS_MODULE_LOAD"
    re.regex($load.principal.process.file.full_path, `(?i).*(winlogon\.exe|lsass\.exe|LogonUI\.exe|consent\.exe|credui\.exe)$`)
    not re.regex($load.target.process.file.full_path, `(?i)^(C:\\Windows\\System32\\|C:\\Windows\\SysWOW64\\|C:\\Program Files\\|C:\\Program Files \(x86\)\\).*`)
    re.regex($load.target.process.file.full_path, `(?i)\.dll$`)
  condition:
    $load
}

rule t1056_input_capture_api_or_tool {
  meta:
    author = "df00tech"
    description = "Detects process creation referencing input capture APIs or known keylogger tool names — T1056 Input Capture"
    mitre_attack_tactic = "Collection, Credential Access"
    mitre_attack_technique = "T1056"
    severity = "MEDIUM"
    priority = "MEDIUM"
  events:
    $proc.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($proc.target.process.command_line, `(?i).*(SetWindowsHookEx|GetAsyncKeyState|GetKeyState|WH_KEYBOARD_LL|WH_MOUSE_LL|pyWinhook|pynput|Get-Clipboard|keyboard\.hook|InputCapture).*`)
      or re.regex($proc.target.process.file.full_path, `(?i).*(keylog|keyscan|hookdll|inputcap|credcap).*`)
    )
  condition:
    $proc
}

rule t1056_input_capture_remote_thread_credential_process {
  meta:
    author = "df00tech"
    description = "Detects remote thread injection into credential and logon UI processes — T1056 Input Capture"
    mitre_attack_tactic = "Defense Evasion, Credential Access"
    mitre_attack_technique = "T1056"
    severity = "CRITICAL"
    priority = "CRITICAL"
  events:
    $inj.metadata.event_type = "PROCESS_INJECTION"
    re.regex($inj.target.process.file.full_path, `(?i).*(winlogon\.exe|LogonUI\.exe|credui\.exe|consent\.exe)$`)
  condition:
    $inj
}

rule t1056_input_capture_compound_signal {
  meta:
    author = "df00tech"
    description = "Compound rule: correlated Input Capture signals on same host within 1 hour — T1056 Input Capture high-confidence"
    mitre_attack_tactic = "Collection, Credential Access"
    mitre_attack_technique = "T1056"
    severity = "CRITICAL"
    priority = "CRITICAL"
  events:
    $reg.metadata.event_type = "REGISTRY_MODIFICATION"
    re.regex($reg.target.registry.registry_key, `(?i).*NetworkProvider.*`)
    not re.regex($reg.principal.process.file.full_path, `(?i).*(services\.exe|svchost\.exe|msiexec\.exe|TrustedInstaller\.exe)$`)

    $load.metadata.event_type = "PROCESS_MODULE_LOAD"
    re.regex($load.principal.process.file.full_path, `(?i).*(winlogon\.exe|lsass\.exe|LogonUI\.exe)$`)
    not re.regex($load.target.process.file.full_path, `(?i)^C:\\Windows\\.*`)

    $reg.principal.hostname = $load.principal.hostname
  match:
    $reg.principal.hostname over 1h
  condition:
    $reg and $load
}

critical severity high confidence

Data Sources

Google Chronicle SIEM Chronicle Unified Data Model (UDM) Windows endpoint telemetry via Chronicle forwarders Sysmon events forwarded to Chronicle

Required Tables

UDM events with event_type: REGISTRY_MODIFICATION, PROCESS_MODULE_LOAD, PROCESS_LAUNCH, PROCESS_INJECTION

False Positives

EDR sensor updates or configuration changes trigger NetworkProvider registry modifications during agent installation rollouts
Windows Defender Credential Guard configuration writes to NetworkProvider keys during Virtualization-Based Security setup
Legitimate software installers (VPN clients, network authentication agents) register Network Provider DLLs, often via child processes other than msiexec
Third-party authentication solutions (smart card middleware, biometric login software) load DLLs into LogonUI.exe during credential provider initialization
Security research VMs with Sysmon instrumentation may generate false positives from debugging tools that load DLLs into system processes

CrowdStrike LogScale (CQL)

cql

// T1056 Input Capture — CrowdStrike LogScale / Falcon CQL
// Multi-signal detection covering NPPSPY, DLL injection, keylogger APIs, remote thread

// Signal 1: Network Provider Registry Modification (RegistryOperationEvent)
#event_simpleName = "RegistryOperationEvent"
| RegObjectName = /(?i)(SYSTEM\CurrentControlSet\Control\NetworkProvider\Order|SYSTEM\CurrentControlSet\Services\.*\NetworkProvider)/
| ProcessImageFileName != /(?i)(services\.exe|svchost\.exe|msiexec\.exe|TrustedInstaller\.exe)$/
| eval SignalType="NetworkProviderRegistration", SeverityScore=90
| table([_time, ComputerName, UserName, RegObjectName, RegValueName, RegStringValue, ProcessImageFileName, CommandLine, SignalType, SeverityScore])

// Signal 2: Suspicious DLL Load into Credential Process (ClassifiedModuleLoad or ImageLoad)
#event_simpleName = /ClassifiedModuleLoad|LoadedModule/
| TargetProcessImageFileName = /(?i)(winlogon\.exe|lsass\.exe|LogonUI\.exe|consent\.exe|credui\.exe)$/
| ImageFileName != /(?i)^(C:\Windows\System32\|C:\Windows\SysWOW64\|C:\Program Files\|C:\Program Files \(x86\)\)/
| ImageFileName = /(?i)\.dll$/
| eval SignalType="SuspiciousDLLInCredentialProcess", SeverityScore=85
| table([_time, ComputerName, UserName, TargetProcessImageFileName, ImageFileName, MD5HashData, SHA256HashData, SignalType, SeverityScore])

// Signal 3: Input Capture API or Tool Invocation (ProcessRollup2)
#event_simpleName = "ProcessRollup2"
| CommandLine = /(?i)(SetWindowsHookEx|GetAsyncKeyState|GetKeyState|WH_KEYBOARD_LL|WH_MOUSE_LL|pyWinhook|pynput|Get-Clipboard|keyboard\.hook|InputCapture)/
  OR ImageFileName = /(?i)(keylog|keyscan|hookdll|inputcap|credcap)/
| eval SignalType="InputCaptureAPIOrTool", SeverityScore=70
| table([_time, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine, SignalType, SeverityScore])

// Signal 4: Remote Thread into Credential Process (CreateRemoteThreadApiCall)
#event_simpleName = "CreateRemoteThreadApiCall"
| TargetProcessImageFileName = /(?i)(winlogon\.exe|LogonUI\.exe|credui\.exe|consent\.exe)$/
| eval SignalType="RemoteThreadInCredentialProcess", SeverityScore=95
| table([_time, ComputerName, UserName, ContextProcessImageFileName, TargetProcessImageFileName, StartAddress, SignalType, SeverityScore])

// Aggregated hunting query — all signals by host with counts over 24h
#event_simpleName = /ProcessRollup2|RegistryOperationEvent|ClassifiedModuleLoad|CreateRemoteThreadApiCall/
| case {
    #event_simpleName = "RegistryOperationEvent"
      AND RegObjectName = /(?i)(NetworkProvider)/
      AND ProcessImageFileName != /(?i)(services\.exe|svchost\.exe|msiexec\.exe)$/
      => SignalType := "NetworkProviderReg" ;
    #event_simpleName = /ClassifiedModuleLoad|LoadedModule/
      AND TargetProcessImageFileName = /(?i)(winlogon\.exe|lsass\.exe|LogonUI\.exe|consent\.exe|credui\.exe)$/
      AND ImageFileName != /(?i)^C:\Windows\\/
      => SignalType := "SuspiciousDLLLoad" ;
    #event_simpleName = "ProcessRollup2"
      AND (CommandLine = /(?i)(SetWindowsHookEx|GetAsyncKeyState|WH_KEYBOARD_LL|pyWinhook|pynput)/
           OR ImageFileName = /(?i)(keylog|keyscan|hookdll)/)
      => SignalType := "InputCaptureAPI" ;
    #event_simpleName = "CreateRemoteThreadApiCall"
      AND TargetProcessImageFileName = /(?i)(winlogon\.exe|LogonUI\.exe|credui\.exe|consent\.exe)$/
      => SignalType := "RemoteThreadCredProc" ;
    * => drop()
  }
| groupBy([ComputerName, SignalType], function=[count(as=EventCount), collect([UserName, ImageFileName, CommandLine], limit=5)])
| sort(SeverityScore, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon EDR CrowdStrike LogScale (Humio) Falcon Complete or Falcon Insight XDR sensor

Required Tables

RegistryOperationEvent ClassifiedModuleLoad LoadedModule ProcessRollup2 CreateRemoteThreadApiCall

False Positives

CrowdStrike sensor itself generates ClassifiedModuleLoad events when loading its own monitoring DLLs into system processes — will appear in telemetry but with known Falcon-signed hashes
VPN client installation (GlobalProtect, Cisco AnyConnect, Pulse Secure) creates RegistryOperationEvent hits on NetworkProvider keys via non-standard installer child processes
Sysmon installation or configuration update may spawn processes matching input capture patterns when loading driver components
Windows Subsystem for Linux (WSL) components may trigger clipboard API detections when using cross-environment clipboard sharing
Software development environments with debugging tools attached to winlogon.exe for testing credential providers will generate DLL load and remote thread signals

Last updated: 2026-04-17 Research depth: deep

References (14)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1056 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Input Capture

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (4)

Same Tactic: Collection

Popular Detections