T1056.001

Keylogging

Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is commonly used when OS credential dumping techniques are ineffective, and may require monitoring a system for a substantial period before credentials are captured. Techniques include API hooking (SetWindowsHookEx, GetAsyncKeyState), reading hardware buffers, registry modifications, and custom drivers. This detection focuses on behavioral indicators of keylogger installation and activity on Windows systems.

Microsoft Sentinel / Defender

kusto

let KeyloggerAPIs = dynamic([
  "SetWindowsHookEx", "SetWindowsHookExA", "SetWindowsHookExW",
  "GetAsyncKeyState", "GetKeyState", "GetKeyboardState",
  "RegisterHotKey", "CallNextHookEx",
  "WH_KEYBOARD", "WH_KEYBOARD_LL"
]);
let SuspiciousKeyloggerFiles = dynamic([
  "keylog", "keystroke", "klog", "keycap", "keyrecord",
  "keyspy", "keyboard_log", "input_capture"
]);
let KeyloggerDriverPatterns = dynamic([
  "keyboard filter", "kbdfilter", "keylogdrv", "kbdhook"
]);
// Detect suspicious DLL loads indicative of keyboard hooking
let DLLHookLoads = DeviceImageLoadEvents
| where Timestamp > ago(24h)
| where FileName =~ "user32.dll" and InitiatingProcessFileName !in~ (
    "explorer.exe", "chrome.exe", "firefox.exe", "msedge.exe",
    "outlook.exe", "winword.exe", "excel.exe", "powerpnt.exe",
    "notepad.exe", "code.exe", "teams.exe", "slack.exe",
    "svchost.exe", "dwm.exe", "taskhostw.exe"
  )
| extend Reason = "Suspicious user32.dll load by unusual process"
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, FileName, Reason;
// Detect processes with keylogger-related strings in command line
let SuspiciousCmdLine = DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (KeyloggerAPIs)
    or FileName has_any (SuspiciousKeyloggerFiles)
    or FolderPath has_any (SuspiciousKeyloggerFiles)
| extend Reason = "Process with keylogger API or filename pattern"
| project Timestamp, DeviceName, AccountName=AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessCommandLine, FileName, FolderPath, Reason;
// Detect service installations with keylogger characteristics
let SuspiciousServices = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services"
| where RegistryValueName =~ "ImagePath" or RegistryValueName =~ "Description"
| where RegistryValueData has_any (KeyloggerDriverPatterns)
    or RegistryValueData has_any (SuspiciousKeyloggerFiles)
| extend Reason = "Keylogger-related service registry entry"
| project Timestamp, DeviceName, AccountName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine, Reason;
// Detect suspicious file creation with keylogger-related names
let SuspiciousFiles = DeviceFileEvents
| where Timestamp > ago(24h)
| where FileName has_any (SuspiciousKeyloggerFiles)
    or FolderPath has_any (SuspiciousKeyloggerFiles)
| extend Reason = "File creation with keylogger-related name"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine, Reason;
// Union and surface results
DLLHookLoads
| union SuspiciousCmdLine
| union SuspiciousServices
| union SuspiciousFiles
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Image: Image Load Windows Registry: Registry Value Modification File: File Creation Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceImageLoadEvents DeviceRegistryEvents DeviceFileEvents

False Positives

Legitimate accessibility software (e.g., Dragon NaturallySpeaking, screen readers like JAWS, NVDA) that use keyboard hook APIs for input monitoring
Password managers and macro utilities (AutoHotkey, Logitech G Hub, Razer Synapse) that legitimately hook keyboard input for hotkeys
Security testing tools and endpoint security products that monitor keyboard input as part of behavior analysis
Remote desktop and virtual machine software (VMware, VirtualBox, AnyDesk, TeamViewer) that intercept keyboard input for session relay

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Security")
| eval is_process_create=if(EventCode=1, 1, 0)
| eval is_image_load=if(EventCode=7, 1, 0)
| eval is_reg_event=if(EventCode IN (12,13,14), 1, 0)
| eval is_file_create=if(EventCode=11, 1, 0)
| eval is_service_install=if(EventCode=7045, 1, 0)

``` Process creation with keylogger indicators ```
| eval KeyloggerProcess=if(
    EventCode=1 AND (
      match(lower(CommandLine), "(getkeystate|getasynckeystate|setwwindowshookex|wh_keyboard|getkeyboardstate|registhotkey)") OR
      match(lower(Image), "(keylog|keystroke|klog|keycap|keyrecord|keyspy|kbdlog)")
    ), 1, 0)

``` Image loads - user32.dll by unusual processes ```
| eval SuspiciousHookLoad=if(
    EventCode=7 AND
    match(lower(ImageLoaded), "user32\.dll") AND
    NOT match(lower(Image), "(explorer\.exe|chrome\.exe|firefox\.exe|msedge\.exe|outlook\.exe|winword\.exe|excel\.exe|powerpnt\.exe|notepad\.exe|code\.exe|teams\.exe|slack\.exe|svchost\.exe|dwm\.exe|taskhostw\.exe|ctfmon\.exe|runtimebroker\.exe)"),
    1, 0)

``` Registry modifications for hook persistence or suspicious service ```
| eval SuspiciousRegistry=if(
    (EventCode IN (12,13,14)) AND (
      match(lower(TargetObject), "(keylog|keystroke|kbdfilter|keyboard.filter|keylogdrv)") OR
      (match(lower(TargetObject), "currentcontrolset\\\\services") AND match(lower(Details), "(keylog|kbdfilter|keylogdrv)"))
    ), 1, 0)

``` File creation with keylogger-related names ```
| eval SuspiciousFile=if(
    EventCode=11 AND
    match(lower(TargetFilename), "(keylog|keystroke|klog|keycap|keyrecord|keyspy|keyboard_log|input_capture)"),
    1, 0)

``` Windows Security - Service install with keylogger traits ```
| eval SuspiciousService=if(
    EventCode=7045 AND
    match(lower(ServiceFileName), "(keylog|keystroke|kbdfilter|keylogdrv|klog)"),
    1, 0)

| eval TotalScore=KeyloggerProcess + SuspiciousHookLoad + SuspiciousRegistry + SuspiciousFile + SuspiciousService
| where TotalScore > 0
| eval DetectionReason=mvappend(
    if(KeyloggerProcess=1, "Keylogger API/filename in process", null()),
    if(SuspiciousHookLoad=1, "Suspicious user32.dll load", null()),
    if(SuspiciousRegistry=1, "Suspicious registry modification", null()),
    if(SuspiciousFile=1, "Keylogger-related file created", null()),
    if(SuspiciousService=1, "Keylogger-related service installed", null())
  )
| eval DetectionReason=mvjoin(DetectionReason, " | ")
| table _time, host, User, EventCode, Image, CommandLine, ImageLoaded, TargetObject, TargetFilename, ServiceName, ServiceFileName, TotalScore, DetectionReason
| sort - _time

high severity medium confidence

Data Sources

Process: Process Creation Image: Image Load Windows Registry: Registry Value Modification File: File Creation Windows Security Event Log Sysmon

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

Legitimate accessibility software (e.g., Dragon NaturallySpeaking, screen readers like JAWS, NVDA) that use keyboard hook APIs for input monitoring
Password managers and macro utilities (AutoHotkey, Logitech G Hub, Razer Synapse) that legitimately hook keyboard input for hotkeys
Security testing tools and endpoint security products that monitor keyboard input as part of behavior analysis
Remote desktop and virtual machine software (VMware, VirtualBox, AnyDesk, TeamViewer) that intercept keyboard input for session relay

Elastic Security (EQL)

eql

any where
  (
    /* Suspicious user32.dll load by unusual process - keyboard hook indicator */
    (
      event.category == "library" and
      dll.name : "user32.dll" and
      not process.name : ("explorer.exe", "chrome.exe", "firefox.exe", "msedge.exe", "outlook.exe", "winword.exe", "excel.exe", "powerpnt.exe", "notepad.exe", "code.exe", "teams.exe", "slack.exe", "svchost.exe", "dwm.exe", "taskhostw.exe", "ctfmon.exe", "runtimebroker.exe", "conhost.exe", "werfault.exe")
    )
    or
    /* Process creation with keylogger API patterns in command line or image name */
    (
      event.category == "process" and event.type == "start" and
      (
        process.command_line : ("*SetWindowsHookEx*", "*SetWindowsHookExA*", "*SetWindowsHookExW*", "*GetAsyncKeyState*", "*GetKeyState*", "*GetKeyboardState*", "*RegisterHotKey*", "*CallNextHookEx*", "*WH_KEYBOARD*", "*WH_KEYBOARD_LL*") or
        process.name : ("*keylog*", "*keystroke*", "*klog*", "*keycap*", "*keyrecord*", "*keyspy*", "*kbdlog*", "*keyboard_log*", "*input_capture*") or
        process.executable : ("*keylog*", "*keystroke*", "*klog*", "*keycap*", "*keyrecord*", "*keyspy*")
      )
    )
    or
    /* Registry modification with keylogger driver or service patterns */
    (
      event.category == "registry" and
      (
        registry.path : ("*keylog*", "*kbdfilter*", "*keyboard?filter*", "*keylogdrv*", "*kbdhook*") or
        (
          registry.path : ("*CurrentControlSet\\Services*") and
          registry.data.strings : ("*keylog*", "*kbdfilter*", "*keylogdrv*", "*klog*")
        )
      )
    )
    or
    /* File creation with keylogger-related names */
    (
      event.category == "file" and event.type == "creation" and
      file.path : ("*keylog*", "*keystroke*", "*klog*", "*keycap*", "*keyrecord*", "*keyspy*", "*keyboard_log*", "*input_capture*")
    )
  )

high severity medium confidence

Data Sources

Elastic Endpoint Security Windows Sysmon via Elastic Agent Elastic Defend (EDR)

Required Tables

logs-endpoint.events.library-* logs-endpoint.events.process-* logs-endpoint.events.registry-* logs-endpoint.events.file-* logs-windows.sysmon_operational-*

False Positives

Legitimate accessibility software (JAWS, NVDA, Dragon NaturallySpeaking) uses SetWindowsHookEx and keyboard API calls to implement screen reader and voice control functionality, triggering the API pattern detection.
Gaming overlay tools and key remapping software (AutoHotkey, Razer Synapse, Logitech G HUB) load user32.dll and register keyboard hooks to implement hotkeys, macros, and input remapping — these processes may not appear in the allowlist.
Remote monitoring and management (RMM) agents such as ConnectWise Control, TeamViewer, or AnyDesk use keyboard capture APIs for remote session functionality and may generate registry entries or files matching keylogger patterns.
Security and antivirus products performing behavioral monitoring may load user32.dll and call keyboard-adjacent APIs as part of their own threat detection capabilities.
Developer tools including IDEs with live preview, screen recording software, and keyboard testing utilities may create files or invoke APIs matching keylogger detection patterns during legitimate development workflows.

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS "Event Time",
  logsourcename(logsourceid) AS "Log Source",
  CATEGORYNAME(category) AS "Category",
  username AS "User",
  sourceip AS "Source IP",
  QIDNAME(qid) AS "Event Name",
  "EventCode",
  "Image",
  "CommandLine",
  "ImageLoaded",
  "TargetObject",
  "Details",
  "TargetFilename",
  "ServiceName",
  "ServiceFileName",
  CASE
    WHEN LONG("EventCode") = 1 AND (
      LOWER("CommandLine") IMATCHES '%(getkeystate|getasynckeystate|setwindowshookex|setwindowshookexw|setwindowshookexw|wh_keyboard|wh_keyboard_ll|getkeyboardstate|registerhotkey|callnexthookex)%'
      OR LOWER("Image") IMATCHES '%(keylog|keystroke|klog|keycap|keyrecord|keyspy|kbdlog|keyboard_log|input_capture)%'
    ) THEN 'Keylogger API or filename in process launch'
    WHEN LONG("EventCode") = 7
      AND LOWER("ImageLoaded") IMATCHES '%user32.dll%'
      AND NOT (LOWER("Image") IMATCHES '%(explorer\.exe|chrome\.exe|firefox\.exe|msedge\.exe|outlook\.exe|winword\.exe|excel\.exe|powerpnt\.exe|notepad\.exe|code\.exe|teams\.exe|slack\.exe|svchost\.exe|dwm\.exe|taskhostw\.exe|ctfmon\.exe|runtimebroker\.exe|conhost\.exe|werfault\.exe)%')
    THEN 'Suspicious user32.dll load by non-standard process'
    WHEN LONG("EventCode") IN (12, 13, 14) AND (
      LOWER("TargetObject") IMATCHES '%(keylog|kbdfilter|keyboard.filter|keylogdrv|kbdhook)%'
      OR (LOWER("TargetObject") IMATCHES '%currentcontrolset%services%' AND LOWER("Details") IMATCHES '%(keylog|kbdfilter|keylogdrv|klog)%')
    ) THEN 'Keylogger-related registry modification'
    WHEN LONG("EventCode") = 11
      AND LOWER("TargetFilename") IMATCHES '%(keylog|keystroke|klog|keycap|keyrecord|keyspy|keyboard_log|input_capture)%'
    THEN 'Keylogger-related file creation'
    WHEN LONG("EventCode") = 7045
      AND LOWER("ServiceFileName") IMATCHES '%(keylog|keystroke|kbdfilter|keylogdrv|klog)%'
    THEN 'Keylogger-related service installation'
    ELSE 'Unknown'
  END AS "Detection Reason"
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (143, 382, 384)
  AND starttime > NOW() - 86400000
  AND (
    /* Sysmon EID 1 - Process Create with keylogger indicators */
    (LONG("EventCode") = 1 AND (
      LOWER("CommandLine") IMATCHES '%(getkeystate|getasynckeystate|setwindowshookex|wh_keyboard|wh_keyboard_ll|getkeyboardstate|registerhotkey|callnexthookex)%'
      OR LOWER("Image") IMATCHES '%(keylog|keystroke|klog|keycap|keyrecord|keyspy|kbdlog|keyboard_log|input_capture)%'
    ))
    /* Sysmon EID 7 - Image Load: user32.dll by suspicious process */
    OR (LONG("EventCode") = 7
      AND LOWER("ImageLoaded") IMATCHES '%user32.dll%'
      AND NOT LOWER("Image") IMATCHES '%(explorer\.exe|chrome\.exe|firefox\.exe|msedge\.exe|outlook\.exe|winword\.exe|excel\.exe|powerpnt\.exe|notepad\.exe|code\.exe|teams\.exe|slack\.exe|svchost\.exe|dwm\.exe|taskhostw\.exe|ctfmon\.exe|runtimebroker\.exe|conhost\.exe|werfault\.exe)%'
    )
    /* Sysmon EID 12/13/14 - Registry events with keylogger patterns */
    OR (LONG("EventCode") IN (12, 13, 14) AND (
      LOWER("TargetObject") IMATCHES '%(keylog|kbdfilter|keyboard.filter|keylogdrv|kbdhook)%'
      OR (LOWER("TargetObject") IMATCHES '%currentcontrolset%services%' AND LOWER("Details") IMATCHES '%(keylog|kbdfilter|keylogdrv|klog)%')
    ))
    /* Sysmon EID 11 - File Create with keylogger name */
    OR (LONG("EventCode") = 11
      AND LOWER("TargetFilename") IMATCHES '%(keylog|keystroke|klog|keycap|keyrecord|keyspy|keyboard_log|input_capture)%'
    )
    /* Security EID 7045 - Service Install with keylogger traits */
    OR (LONG("EventCode") = 7045
      AND LOWER("ServiceFileName") IMATCHES '%(keylog|keystroke|kbdfilter|keylogdrv|klog)%'
    )
  )
ORDER BY starttime DESC

high severity medium confidence

Data Sources

IBM QRadar SIEM Windows Security Event Log (DSM) Microsoft Windows Sysmon (DSM)

Required Tables

events

False Positives

Input method editors (IMEs) and third-party keyboard software (language input tools, keyboard layout managers) register keyboard hooks and write configuration files that may match naming patterns — particularly common in multilingual enterprise environments.
Password managers such as KeePass, 1Password, and Bitwarden use keyboard shortcut detection APIs (RegisterHotKey, GetAsyncKeyState) to implement global autofill shortcuts, generating API-pattern alerts without malicious intent.
Penetration testing and red team exercises using tools like Metasploit's keylogger module or commercial C2 frameworks may intentionally trigger all detection signals — validate against authorized engagements before escalating.
Custom enterprise monitoring agents or user activity monitoring (UAM) tools deployed by IT/HR teams may install keyboard capture services with names or service paths matching keylogger patterns as part of authorized endpoint monitoring.

Sumo Logic CSE

sql

(_sourceCategory=windows/sysmon OR _sourceCategory=windows/security OR _sourceCategory=endpoint/sysmon)
| where EventCode in ("1", "7", "11", "12", "13", "14", "7045")
/* Process creation with keylogger API or image name indicators - Sysmon EID 1 */
| eval keylogger_process = if(
    EventCode = "1" and (
      matches(toLowerCase(CommandLine), ".*(getkeystate|getasynckeystate|setwindowshookex|setwindowshookexw|setwindowshookexa|wh_keyboard|wh_keyboard_ll|getkeyboardstate|registerhotkey|callnexthookex).*") or
      matches(toLowerCase(Image), ".*(keylog|keystroke|klog|keycap|keyrecord|keyspy|kbdlog|keyboard_log|input_capture).*")
    ),
    1, 0
  )
/* Suspicious user32.dll load by non-standard process - Sysmon EID 7 */
| eval suspicious_hook_load = if(
    EventCode = "7" and
    matches(toLowerCase(ImageLoaded), ".*user32\\.dll.*") and
    not matches(toLowerCase(Image), ".*(explorer|chrome|firefox|msedge|outlook|winword|excel|powerpnt|notepad|code|teams|slack|svchost|dwm|taskhostw|ctfmon|runtimebroker|conhost|werfault)\\.exe.*"),
    1, 0
  )
/* Registry modification with keylogger service or hook patterns - Sysmon EID 12/13/14 */
| eval suspicious_registry = if(
    EventCode in ("12", "13", "14") and (
      matches(toLowerCase(TargetObject), ".*(keylog|kbdfilter|keyboard.filter|keylogdrv|kbdhook).*") or
      (
        matches(toLowerCase(TargetObject), ".*currentcontrolset.*services.*") and
        matches(toLowerCase(Details), ".*(keylog|kbdfilter|keylogdrv|klog).*")
      )
    ),
    1, 0
  )
/* File creation with keylogger-related name - Sysmon EID 11 */
| eval suspicious_file = if(
    EventCode = "11" and
    matches(toLowerCase(TargetFilename), ".*(keylog|keystroke|klog|keycap|keyrecord|keyspy|keyboard_log|input_capture).*"),
    1, 0
  )
/* Service installation with keylogger traits - Security EID 7045 */
| eval suspicious_service = if(
    EventCode = "7045" and
    matches(toLowerCase(ServiceFileName), ".*(keylog|keystroke|kbdfilter|keylogdrv|klog).*"),
    1, 0
  )
| eval total_score = keylogger_process + suspicious_hook_load + suspicious_registry + suspicious_file + suspicious_service
| where total_score > 0
| eval detection_reason = concat(
    if(keylogger_process = 1, "[KEYLOGGER_API_OR_NAME] ", ""),
    if(suspicious_hook_load = 1, "[SUSPICIOUS_USER32_LOAD] ", ""),
    if(suspicious_registry = 1, "[KEYLOGGER_REGISTRY] ", ""),
    if(suspicious_file = 1, "[KEYLOGGER_FILE_CREATED] ", ""),
    if(suspicious_service = 1, "[KEYLOGGER_SERVICE_INSTALL] ", "")
  )
| fields _messageTime, _sourceHost, User, EventCode, Image, CommandLine, ImageLoaded, TargetObject, TargetFilename, ServiceName, ServiceFileName, total_score, detection_reason
| sort by _messageTime desc

high severity medium confidence

Data Sources

Sumo Logic Cloud SIEM Enterprise Windows Sysmon logs via Sumo Logic Installed Collector Windows Security Event Log via Sumo Logic Installed Collector

Required Tables

_sourceCategory=windows/sysmon _sourceCategory=windows/security _sourceCategory=endpoint/sysmon

False Positives

Accessibility technology including screen readers (JAWS, NVDA), braille display drivers, and switch access software for users with disabilities relies on SetWindowsHookEx and related keyboard APIs — these are benign but will trigger the API pattern detection, especially in healthcare or government environments with accessibility requirements.
Software development and testing tools such as UI test automation frameworks (Selenium, Appium Windows Driver, AutoIt), keyboard macro recorders, and input simulation libraries create processes and files with keyboard-capture naming conventions during legitimate test execution.
Enterprise password managers and privileged access management (PAM) agents use keyboard hook APIs for global hotkeys and may create local credential files or registry entries with names loosely matching keylogger patterns (e.g., 'keyvault', 'keychain').
Hardware vendor control software (Corsair iCUE, SteelSeries GG, Logitech Options) installs keyboard filter drivers and creates service entries that may match keylogger driver name patterns while performing legitimate RGB/macro management.

Google Chronicle / SecOps

yaral

rule t1056_001_keylogging_behavioral_indicators {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects behavioral indicators of keylogger installation and activity on Windows. Monitors for suspicious keyboard hook DLL loads, keylogger API usage in processes, keylogger-pattern registry service entries, and keylogger-named file creation."
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Collection"
    mitre_attack_technique = "T1056.001"
    mitre_attack_technique_name = "Input Capture: Keylogging"
    false_positives = "Accessibility software, RMM agents, password managers, gaming peripherals software"
    version = "1.0"

  events:
    (
      /* Signal 1: Suspicious DLL load - user32.dll loaded by non-standard process */
      (
        $e.metadata.event_type = "PROCESS_MODULE_LOAD" and
        re.regex($e.target.file.full_path, `(?i)\\user32\.dll$`) and
        not re.regex($e.principal.process.file.full_path,
          `(?i)\\(explorer|chrome|firefox|msedge|outlook|winword|excel|powerpnt|notepad|code|teams|slack|svchost|dwm|taskhostw|ctfmon|runtimebroker|conhost|werfault)\.exe$`)
      )
      or
      /* Signal 2: Process creation with keylogger API patterns in command line */
      (
        $e.metadata.event_type = "PROCESS_LAUNCH" and
        (
          re.regex($e.target.process.command_line,
            `(?i)(SetWindowsHookEx[AW]?|GetAsyncKeyState|GetKeyState\b|GetKeyboardState|RegisterHotKey|CallNextHookEx|WH_KEYBOARD(_LL)?)`) or
          re.regex($e.target.process.file.full_path,
            `(?i)(keylog|keystroke|\bklog\b|keycap|keyrecord|keyspy|kbdlog|keyboard_log|input_capture)`)
        )
      )
      or
      /* Signal 3: Registry modification creating keylogger service or hook persistence */
      (
        $e.metadata.event_type = "REGISTRY_MODIFICATION" and
        (
          re.regex($e.target.registry.registry_key,
            `(?i)(keylog|kbdfilter|keyboard[._]filter|keylogdrv|kbdhook)`) or
          (
            re.regex($e.target.registry.registry_key,
              `(?i)CurrentControlSet\\Services`) and
            re.regex($e.target.registry.registry_value_data,
              `(?i)(keylog|kbdfilter|keylogdrv|\bklog\b)`)
          )
        )
      )
      or
      /* Signal 4: File creation with keylogger-related naming pattern */
      (
        $e.metadata.event_type = "FILE_CREATION" and
        re.regex($e.target.file.full_path,
          `(?i)(keylog|keystroke|\bklog\b|keycap|keyrecord|keyspy|keyboard_log|input_capture)`)
      )
    )

  condition:
    $e
}

high severity medium confidence

Data Sources

Google Chronicle SIEM Windows Sysmon via Chronicle Forwarder Microsoft Defender for Endpoint via Chronicle integration CrowdStrike Falcon via Chronicle integration

Required Tables

UDM Events (PROCESS_MODULE_LOAD) UDM Events (PROCESS_LAUNCH) UDM Events (REGISTRY_MODIFICATION) UDM Events (FILE_CREATION)

False Positives

Legitimate remote desktop and screen sharing software (TeamViewer, AnyDesk, Citrix Workspace) installs keyboard filter drivers and hooks to relay input from remote sessions — the module load and registry service signals will fire for these during normal installation and operation.
Input method framework components on multilingual Windows systems (Microsoft IME, Google Japanese Input, Baidu Input) register global keyboard hooks and write configuration data to paths that may partially match keylogger naming patterns.
Security awareness training platforms and insider threat detection tools that are themselves monitoring keyboard activity for compliance purposes will produce the same behavioral indicators as the malicious keyloggers they are designed to detect.
Antivirus and EDR products performing kernel-level input monitoring as part of credential theft protection may load user32.dll from non-standard service host paths and register hooks — these processes will not appear in the standard process allowlist.

CrowdStrike LogScale (CQL)

cql

#event_simpleName IN ("ImageLoad", "ProcessRollup2", "SyntheticProcessRollup2", "PeFileWritten", "RegKeyCreate", "RegValueUpdate", "RegKeyUpdate")
| eval signal_type = ""
/* Signal 1: Suspicious user32.dll image load by non-standard process */
| case {
    #event_simpleName = "ImageLoad"
      AND ImageFileName = /(?i)\\user32\.dll$/
      AND NOT ContextImageFileName = /(?i)\\(explorer|chrome|firefox|msedge|outlook|winword|excel|powerpnt|notepad|Code|teams|slack|svchost|dwm|taskhostw|ctfmon|RuntimeBroker|conhost|WerFault)\.exe$/
    | signal_type := "SUSPICIOUS_USER32_HOOK_LOAD" ;
    *
  }
/* Signal 2: Process creation with keylogger API patterns in command line or image */
| case {
    #event_simpleName IN ("ProcessRollup2", "SyntheticProcessRollup2")
      AND (
        CommandLine = /(?i)(SetWindowsHookEx[AW]?|GetAsyncKeyState|GetKeyState|GetKeyboardState|RegisterHotKey|CallNextHookEx|WH_KEYBOARD(_LL)?)/
        OR ImageFileName = /(?i)(keylog|keystroke|\bklog\b|keycap|keyrecord|keyspy|kbdlog|keyboard_log|input_capture)/
      )
    | signal_type := "KEYLOGGER_API_OR_FILENAME" ;
    *
  }
/* Signal 3: Registry modification with keylogger driver or service patterns */
| case {
    #event_simpleName IN ("RegKeyCreate", "RegValueUpdate", "RegKeyUpdate")
      AND (
        RegObjectName = /(?i)(keylog|kbdfilter|keyboard[._]filter|keylogdrv|kbdhook)/
        OR (
          RegObjectName = /(?i)CurrentControlSet\\Services/
          AND RegStringValue = /(?i)(keylog|kbdfilter|keylogdrv|\bklog\b)/
        )
      )
    | signal_type := "KEYLOGGER_REGISTRY_MODIFICATION" ;
    *
  }
/* Signal 4: PE file written to disk with keylogger-related name */
| case {
    #event_simpleName = "PeFileWritten"
      AND TargetFileName = /(?i)(keylog|keystroke|\bklog\b|keycap|keyrecord|keyspy|keyboard_log|input_capture)/
    | signal_type := "KEYLOGGER_PE_FILE_CREATED" ;
    *
  }
| signal_type != ""
| select([@timestamp, #event_simpleName, signal_type, ComputerName, UserName, CommandLine, ImageFileName, ContextImageFileName, RegObjectName, RegStringValue, TargetFileName, TargetDirectoryName, ProcessId, ParentProcessId])
| sort(field=@timestamp, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon EDR CrowdStrike Falcon LogScale (Humio) Falcon Prevent (AV) telemetry Falcon Insight (EDR) telemetry

Required Tables

ImageLoad events (#event_simpleName=ImageLoad) Process events (#event_simpleName=ProcessRollup2) Process events (#event_simpleName=SyntheticProcessRollup2) File write events (#event_simpleName=PeFileWritten) Registry events (#event_simpleName=RegKeyCreate, RegValueUpdate, RegKeyUpdate)

False Positives

Third-party endpoint security products from competing vendors (Symantec, McAfee/Trellix, Trend Micro) load user32.dll from non-standard service paths and may install keyboard filter components — Falcon may not recognize these as trusted processes, generating false positives especially in environments running multiple security agents.
Enterprise application monitoring and APM agents (AppDynamics, Dynatrace, New Relic) that instrument .NET or Java applications may hook keyboard APIs to measure user interaction latency, producing API-pattern detections during normal performance monitoring.
Biometric authentication software and smart card middleware that maps keyboard events to authentication triggers can match keylogger API patterns while performing authorized multi-factor authentication operations.

Last updated: 2026-04-16 Research depth: deep

References (11)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1056.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1056Input Capture

Related Sub-techniques

T1056.002GUI Input Capture T1056.003Web Portal Capture T1056.004Credential API Hooking

Keylogging

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Collection

Popular Detections