T1056.001 Google Chronicle · YARA-L

Detect Keylogging in Google Chronicle

Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is commonly used when OS credential dumping techniques are ineffective, and may require monitoring a system for a substantial period before credentials are captured. Techniques include API hooking (SetWindowsHookEx, GetAsyncKeyState), reading hardware buffers, registry modifications, and custom drivers. This detection focuses on behavioral indicators of keylogger installation and activity on Windows systems.

MITRE ATT&CK

Tactic
Collection Credential Access
Technique
T1056 Input Capture
Sub-technique
T1056.001 Keylogging
Canonical reference
https://attack.mitre.org/techniques/T1056/001/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1056_001_keylogging_behavioral_indicators {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects behavioral indicators of keylogger installation and activity on Windows. Monitors for suspicious keyboard hook DLL loads, keylogger API usage in processes, keylogger-pattern registry service entries, and keylogger-named file creation."
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Collection"
    mitre_attack_technique = "T1056.001"
    mitre_attack_technique_name = "Input Capture: Keylogging"
    false_positives = "Accessibility software, RMM agents, password managers, gaming peripherals software"
    version = "1.0"

  events:
    (
      /* Signal 1: Suspicious DLL load - user32.dll loaded by non-standard process */
      (
        $e.metadata.event_type = "PROCESS_MODULE_LOAD" and
        re.regex($e.target.file.full_path, `(?i)\\user32\.dll$`) and
        not re.regex($e.principal.process.file.full_path,
          `(?i)\\(explorer|chrome|firefox|msedge|outlook|winword|excel|powerpnt|notepad|code|teams|slack|svchost|dwm|taskhostw|ctfmon|runtimebroker|conhost|werfault)\.exe$`)
      )
      or
      /* Signal 2: Process creation with keylogger API patterns in command line */
      (
        $e.metadata.event_type = "PROCESS_LAUNCH" and
        (
          re.regex($e.target.process.command_line,
            `(?i)(SetWindowsHookEx[AW]?|GetAsyncKeyState|GetKeyState\b|GetKeyboardState|RegisterHotKey|CallNextHookEx|WH_KEYBOARD(_LL)?)`) or
          re.regex($e.target.process.file.full_path,
            `(?i)(keylog|keystroke|\bklog\b|keycap|keyrecord|keyspy|kbdlog|keyboard_log|input_capture)`)
        )
      )
      or
      /* Signal 3: Registry modification creating keylogger service or hook persistence */
      (
        $e.metadata.event_type = "REGISTRY_MODIFICATION" and
        (
          re.regex($e.target.registry.registry_key,
            `(?i)(keylog|kbdfilter|keyboard[._]filter|keylogdrv|kbdhook)`) or
          (
            re.regex($e.target.registry.registry_key,
              `(?i)CurrentControlSet\\Services`) and
            re.regex($e.target.registry.registry_value_data,
              `(?i)(keylog|kbdfilter|keylogdrv|\bklog\b)`)
          )
        )
      )
      or
      /* Signal 4: File creation with keylogger-related naming pattern */
      (
        $e.metadata.event_type = "FILE_CREATION" and
        re.regex($e.target.file.full_path,
          `(?i)(keylog|keystroke|\bklog\b|keycap|keyrecord|keyspy|keyboard_log|input_capture)`)
      )
    )

  condition:
    $e
}
high severity medium confidence

Chronicle YARA-L 2.0 rule detecting keylogger installation and activity behavioral indicators on Windows endpoints. Evaluates four independent UDM event signals: user32.dll module loads by processes not in the standard allowlist (keyboard hook precursor activity), process launches containing keyboard interception API strings or keylogger naming conventions, registry modifications creating keylogger-named keys or service entries, and file creation events matching keylogger naming patterns. Maps to MITRE ATT&CK T1056.001 (Input Capture: Keylogging).

Data Sources

Google Chronicle SIEMWindows Sysmon via Chronicle ForwarderMicrosoft Defender for Endpoint via Chronicle integrationCrowdStrike Falcon via Chronicle integration

Required Tables

UDM Events (PROCESS_MODULE_LOAD)UDM Events (PROCESS_LAUNCH)UDM Events (REGISTRY_MODIFICATION)UDM Events (FILE_CREATION)

False Positives & Tuning

  • Legitimate remote desktop and screen sharing software (TeamViewer, AnyDesk, Citrix Workspace) installs keyboard filter drivers and hooks to relay input from remote sessions — the module load and registry service signals will fire for these during normal installation and operation.
  • Input method framework components on multilingual Windows systems (Microsoft IME, Google Japanese Input, Baidu Input) register global keyboard hooks and write configuration data to paths that may partially match keylogger naming patterns.
  • Security awareness training platforms and insider threat detection tools that are themselves monitoring keyboard activity for compliance purposes will produce the same behavioral indicators as the malicious keyloggers they are designed to detect.
  • Antivirus and EDR products performing kernel-level input monitoring as part of credential theft protection may load user32.dll from non-standard service host paths and register hooks — these processes will not appear in the standard process allowlist.
Download portable Sigma rule (.yml)

Other platforms for T1056.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1SetWindowsHookEx Keyboard Hook via PowerShell

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with the inline C# code in CommandLine. Sysmon Event ID 7: Image Load for user32.dll initiated by powershell.exe. Sysmon Event ID 11: File Create for keylog_test.txt in %TEMP%. Security Event ID 4688 (if enabled) for powershell.exe process creation.

  2. Test 2GetAsyncKeyState Polling Loop

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with GetAsyncKeyState in CommandLine. Sysmon Event ID 7: Image Load for user32.dll by powershell.exe. Sysmon Event ID 11: File Create for keystate_test.txt in %TEMP%.

  3. Test 3Keylogger Filename and Registry Persistence Simulation

    Expected signal: Sysmon Event ID 11: File Create for keylogger.exe and klog_output.txt in %APPDATA%. Sysmon Event ID 13: Registry value set for HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeyCapture. Security Event ID 4688 for powershell.exe.

  4. Test 4Empire-style Python Keylogger on Linux

    Expected signal: Linux auditd: SYSCALL records for open('/dev/input/event0') if auditd rules are configured for /dev/input monitoring. Syslog: Process creation of python3 with suspicious inline code. File creation of /tmp/key_capture_test.log. If using Sysmon for Linux: ProcessCreate event for python3 with CommandLine containing 'dev/input' and 'struct.unpack'.

Last updated: 2026-04-16 Research depth: deep
References (11)

Unlock Pro Content

Get the full detection package for T1056.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1056Input Capture

Related Sub-techniques

T1056.002GUI Input CaptureT1056.003Web Portal CaptureT1056.004Credential API Hooking

Related Techniques

T1056Input CaptureT1056.004Credential API HookingT1003OS Credential DumpingT1555Credentials from Password StoresT1539Steal Web Session CookieT1113Screen CaptureT1547.001Registry Run Keys / Startup FolderT1543.003Windows ServiceT1070.001Clear Windows Event LogsT1027Obfuscated Files or Information

Same Tactic: Collection

Popular Detections