T1056.001 CrowdStrike LogScale · LogScale

Detect Keylogging in CrowdStrike LogScale

Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is commonly used when OS credential dumping techniques are ineffective, and may require monitoring a system for a substantial period before credentials are captured. Techniques include API hooking (SetWindowsHookEx, GetAsyncKeyState), reading hardware buffers, registry modifications, and custom drivers. This detection focuses on behavioral indicators of keylogger installation and activity on Windows systems.

MITRE ATT&CK

Tactic
Collection Credential Access
Technique
T1056 Input Capture
Sub-technique
T1056.001 Keylogging
Canonical reference
https://attack.mitre.org/techniques/T1056/001/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName IN ("ImageLoad", "ProcessRollup2", "SyntheticProcessRollup2", "PeFileWritten", "RegKeyCreate", "RegValueUpdate", "RegKeyUpdate")
| eval signal_type = ""
/* Signal 1: Suspicious user32.dll image load by non-standard process */
| case {
    #event_simpleName = "ImageLoad"
      AND ImageFileName = /(?i)\\user32\.dll$/
      AND NOT ContextImageFileName = /(?i)\\(explorer|chrome|firefox|msedge|outlook|winword|excel|powerpnt|notepad|Code|teams|slack|svchost|dwm|taskhostw|ctfmon|RuntimeBroker|conhost|WerFault)\.exe$/
    | signal_type := "SUSPICIOUS_USER32_HOOK_LOAD" ;
    *
  }
/* Signal 2: Process creation with keylogger API patterns in command line or image */
| case {
    #event_simpleName IN ("ProcessRollup2", "SyntheticProcessRollup2")
      AND (
        CommandLine = /(?i)(SetWindowsHookEx[AW]?|GetAsyncKeyState|GetKeyState|GetKeyboardState|RegisterHotKey|CallNextHookEx|WH_KEYBOARD(_LL)?)/
        OR ImageFileName = /(?i)(keylog|keystroke|\bklog\b|keycap|keyrecord|keyspy|kbdlog|keyboard_log|input_capture)/
      )
    | signal_type := "KEYLOGGER_API_OR_FILENAME" ;
    *
  }
/* Signal 3: Registry modification with keylogger driver or service patterns */
| case {
    #event_simpleName IN ("RegKeyCreate", "RegValueUpdate", "RegKeyUpdate")
      AND (
        RegObjectName = /(?i)(keylog|kbdfilter|keyboard[._]filter|keylogdrv|kbdhook)/
        OR (
          RegObjectName = /(?i)CurrentControlSet\\Services/
          AND RegStringValue = /(?i)(keylog|kbdfilter|keylogdrv|\bklog\b)/
        )
      )
    | signal_type := "KEYLOGGER_REGISTRY_MODIFICATION" ;
    *
  }
/* Signal 4: PE file written to disk with keylogger-related name */
| case {
    #event_simpleName = "PeFileWritten"
      AND TargetFileName = /(?i)(keylog|keystroke|\bklog\b|keycap|keyrecord|keyspy|keyboard_log|input_capture)/
    | signal_type := "KEYLOGGER_PE_FILE_CREATED" ;
    *
  }
| signal_type != ""
| select([@timestamp, #event_simpleName, signal_type, ComputerName, UserName, CommandLine, ImageFileName, ContextImageFileName, RegObjectName, RegStringValue, TargetFileName, TargetDirectoryName, ProcessId, ParentProcessId])
| sort(field=@timestamp, order=desc)
high severity medium confidence

CrowdStrike Falcon LogScale (CQL) detection for keylogger installation and activity behavioral indicators on Windows endpoints. Correlates four Falcon telemetry signals: ImageLoad events for user32.dll by non-standard processes (keyboard hook precursor), ProcessRollup2/SyntheticProcessRollup2 events containing keylogger API strings or naming patterns in command lines, registry operation events (RegKeyCreate/RegValueUpdate/RegKeyUpdate) matching keylogger driver/service patterns, and PeFileWritten events creating keylogger-named PE files. Uses CQL case expressions to label each signal type. Covers MITRE ATT&CK T1056.001.

Data Sources

CrowdStrike Falcon EDRCrowdStrike Falcon LogScale (Humio)Falcon Prevent (AV) telemetryFalcon Insight (EDR) telemetry

Required Tables

ImageLoad events (#event_simpleName=ImageLoad)Process events (#event_simpleName=ProcessRollup2)Process events (#event_simpleName=SyntheticProcessRollup2)File write events (#event_simpleName=PeFileWritten)Registry events (#event_simpleName=RegKeyCreate, RegValueUpdate, RegKeyUpdate)

False Positives & Tuning

  • Third-party endpoint security products from competing vendors (Symantec, McAfee/Trellix, Trend Micro) load user32.dll from non-standard service paths and may install keyboard filter components — Falcon may not recognize these as trusted processes, generating false positives especially in environments running multiple security agents.
  • Enterprise application monitoring and APM agents (AppDynamics, Dynatrace, New Relic) that instrument .NET or Java applications may hook keyboard APIs to measure user interaction latency, producing API-pattern detections during normal performance monitoring.
  • Biometric authentication software and smart card middleware that maps keyboard events to authentication triggers can match keylogger API patterns while performing authorized multi-factor authentication operations.
Download portable Sigma rule (.yml)

Other platforms for T1056.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1SetWindowsHookEx Keyboard Hook via PowerShell

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with the inline C# code in CommandLine. Sysmon Event ID 7: Image Load for user32.dll initiated by powershell.exe. Sysmon Event ID 11: File Create for keylog_test.txt in %TEMP%. Security Event ID 4688 (if enabled) for powershell.exe process creation.

  2. Test 2GetAsyncKeyState Polling Loop

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with GetAsyncKeyState in CommandLine. Sysmon Event ID 7: Image Load for user32.dll by powershell.exe. Sysmon Event ID 11: File Create for keystate_test.txt in %TEMP%.

  3. Test 3Keylogger Filename and Registry Persistence Simulation

    Expected signal: Sysmon Event ID 11: File Create for keylogger.exe and klog_output.txt in %APPDATA%. Sysmon Event ID 13: Registry value set for HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeyCapture. Security Event ID 4688 for powershell.exe.

  4. Test 4Empire-style Python Keylogger on Linux

    Expected signal: Linux auditd: SYSCALL records for open('/dev/input/event0') if auditd rules are configured for /dev/input monitoring. Syslog: Process creation of python3 with suspicious inline code. File creation of /tmp/key_capture_test.log. If using Sysmon for Linux: ProcessCreate event for python3 with CommandLine containing 'dev/input' and 'struct.unpack'.

Last updated: 2026-04-16 Research depth: deep
References (11)

Unlock Pro Content

Get the full detection package for T1056.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1056Input Capture

Related Sub-techniques

T1056.002GUI Input CaptureT1056.003Web Portal CaptureT1056.004Credential API Hooking

Related Techniques

T1056Input CaptureT1056.004Credential API HookingT1003OS Credential DumpingT1555Credentials from Password StoresT1539Steal Web Session CookieT1113Screen CaptureT1547.001Registry Run Keys / Startup FolderT1543.003Windows ServiceT1070.001Clear Windows Event LogsT1027Obfuscated Files or Information

Same Tactic: Collection

Popular Detections