T1056.001 Elastic Security · Elastic

Detect Keylogging in Elastic Security

Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is commonly used when OS credential dumping techniques are ineffective, and may require monitoring a system for a substantial period before credentials are captured. Techniques include API hooking (SetWindowsHookEx, GetAsyncKeyState), reading hardware buffers, registry modifications, and custom drivers. This detection focuses on behavioral indicators of keylogger installation and activity on Windows systems.

MITRE ATT&CK

Tactic
Collection Credential Access
Technique
T1056 Input Capture
Sub-technique
T1056.001 Keylogging
Canonical reference
https://attack.mitre.org/techniques/T1056/001/

Elastic Detection Query

Elastic Security (Elastic)
eql 
any where
  (
    /* Suspicious user32.dll load by unusual process - keyboard hook indicator */
    (
      event.category == "library" and
      dll.name : "user32.dll" and
      not process.name : ("explorer.exe", "chrome.exe", "firefox.exe", "msedge.exe", "outlook.exe", "winword.exe", "excel.exe", "powerpnt.exe", "notepad.exe", "code.exe", "teams.exe", "slack.exe", "svchost.exe", "dwm.exe", "taskhostw.exe", "ctfmon.exe", "runtimebroker.exe", "conhost.exe", "werfault.exe")
    )
    or
    /* Process creation with keylogger API patterns in command line or image name */
    (
      event.category == "process" and event.type == "start" and
      (
        process.command_line : ("*SetWindowsHookEx*", "*SetWindowsHookExA*", "*SetWindowsHookExW*", "*GetAsyncKeyState*", "*GetKeyState*", "*GetKeyboardState*", "*RegisterHotKey*", "*CallNextHookEx*", "*WH_KEYBOARD*", "*WH_KEYBOARD_LL*") or
        process.name : ("*keylog*", "*keystroke*", "*klog*", "*keycap*", "*keyrecord*", "*keyspy*", "*kbdlog*", "*keyboard_log*", "*input_capture*") or
        process.executable : ("*keylog*", "*keystroke*", "*klog*", "*keycap*", "*keyrecord*", "*keyspy*")
      )
    )
    or
    /* Registry modification with keylogger driver or service patterns */
    (
      event.category == "registry" and
      (
        registry.path : ("*keylog*", "*kbdfilter*", "*keyboard?filter*", "*keylogdrv*", "*kbdhook*") or
        (
          registry.path : ("*CurrentControlSet\\Services*") and
          registry.data.strings : ("*keylog*", "*kbdfilter*", "*keylogdrv*", "*klog*")
        )
      )
    )
    or
    /* File creation with keylogger-related names */
    (
      event.category == "file" and event.type == "creation" and
      file.path : ("*keylog*", "*keystroke*", "*klog*", "*keycap*", "*keyrecord*", "*keyspy*", "*keyboard_log*", "*input_capture*")
    )
  )
high severity medium confidence

Detects behavioral indicators of keylogger installation and activity on Windows systems. Monitors for four distinct signals: suspicious user32.dll loads by non-standard processes (keyboard hook precursor), process creation invoking keyboard interception APIs or using keylogger-named executables, registry modifications creating keylogger driver services, and file creation with keylogger-related naming patterns. Covers MITRE ATT&CK T1056.001 - Keylogging.

Data Sources

Elastic Endpoint SecurityWindows Sysmon via Elastic AgentElastic Defend (EDR)

Required Tables

logs-endpoint.events.library-*logs-endpoint.events.process-*logs-endpoint.events.registry-*logs-endpoint.events.file-*logs-windows.sysmon_operational-*

False Positives & Tuning

  • Legitimate accessibility software (JAWS, NVDA, Dragon NaturallySpeaking) uses SetWindowsHookEx and keyboard API calls to implement screen reader and voice control functionality, triggering the API pattern detection.
  • Gaming overlay tools and key remapping software (AutoHotkey, Razer Synapse, Logitech G HUB) load user32.dll and register keyboard hooks to implement hotkeys, macros, and input remapping — these processes may not appear in the allowlist.
  • Remote monitoring and management (RMM) agents such as ConnectWise Control, TeamViewer, or AnyDesk use keyboard capture APIs for remote session functionality and may generate registry entries or files matching keylogger patterns.
  • Security and antivirus products performing behavioral monitoring may load user32.dll and call keyboard-adjacent APIs as part of their own threat detection capabilities.
  • Developer tools including IDEs with live preview, screen recording software, and keyboard testing utilities may create files or invoke APIs matching keylogger detection patterns during legitimate development workflows.
Download portable Sigma rule (.yml)

Other platforms for T1056.001

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1SetWindowsHookEx Keyboard Hook via PowerShell

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with the inline C# code in CommandLine. Sysmon Event ID 7: Image Load for user32.dll initiated by powershell.exe. Sysmon Event ID 11: File Create for keylog_test.txt in %TEMP%. Security Event ID 4688 (if enabled) for powershell.exe process creation.

  2. Test 2GetAsyncKeyState Polling Loop

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with GetAsyncKeyState in CommandLine. Sysmon Event ID 7: Image Load for user32.dll by powershell.exe. Sysmon Event ID 11: File Create for keystate_test.txt in %TEMP%.

  3. Test 3Keylogger Filename and Registry Persistence Simulation

    Expected signal: Sysmon Event ID 11: File Create for keylogger.exe and klog_output.txt in %APPDATA%. Sysmon Event ID 13: Registry value set for HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeyCapture. Security Event ID 4688 for powershell.exe.

  4. Test 4Empire-style Python Keylogger on Linux

    Expected signal: Linux auditd: SYSCALL records for open('/dev/input/event0') if auditd rules are configured for /dev/input monitoring. Syslog: Process creation of python3 with suspicious inline code. File creation of /tmp/key_capture_test.log. If using Sysmon for Linux: ProcessCreate event for python3 with CommandLine containing 'dev/input' and 'struct.unpack'.

Last updated: 2026-04-16 Research depth: deep
References (11)

Unlock Pro Content

Get the full detection package for T1056.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1056Input Capture

Related Sub-techniques

T1056.002GUI Input CaptureT1056.003Web Portal CaptureT1056.004Credential API Hooking

Related Techniques

T1056Input CaptureT1056.004Credential API HookingT1003OS Credential DumpingT1555Credentials from Password StoresT1539Steal Web Session CookieT1113Screen CaptureT1547.001Registry Run Keys / Startup FolderT1543.003Windows ServiceT1070.001Clear Windows Event LogsT1027Obfuscated Files or Information

Same Tactic: Collection

Popular Detections