T1056.001 IBM QRadar · QRadar

Detect Keylogging in IBM QRadar

Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is commonly used when OS credential dumping techniques are ineffective, and may require monitoring a system for a substantial period before credentials are captured. Techniques include API hooking (SetWindowsHookEx, GetAsyncKeyState), reading hardware buffers, registry modifications, and custom drivers. This detection focuses on behavioral indicators of keylogger installation and activity on Windows systems.

MITRE ATT&CK

Tactic
Collection Credential Access
Technique
T1056 Input Capture
Sub-technique
T1056.001 Keylogging
Canonical reference
https://attack.mitre.org/techniques/T1056/001/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS "Event Time",
  logsourcename(logsourceid) AS "Log Source",
  CATEGORYNAME(category) AS "Category",
  username AS "User",
  sourceip AS "Source IP",
  QIDNAME(qid) AS "Event Name",
  "EventCode",
  "Image",
  "CommandLine",
  "ImageLoaded",
  "TargetObject",
  "Details",
  "TargetFilename",
  "ServiceName",
  "ServiceFileName",
  CASE
    WHEN LONG("EventCode") = 1 AND (
      LOWER("CommandLine") IMATCHES '%(getkeystate|getasynckeystate|setwindowshookex|setwindowshookexw|setwindowshookexw|wh_keyboard|wh_keyboard_ll|getkeyboardstate|registerhotkey|callnexthookex)%'
      OR LOWER("Image") IMATCHES '%(keylog|keystroke|klog|keycap|keyrecord|keyspy|kbdlog|keyboard_log|input_capture)%'
    ) THEN 'Keylogger API or filename in process launch'
    WHEN LONG("EventCode") = 7
      AND LOWER("ImageLoaded") IMATCHES '%user32.dll%'
      AND NOT (LOWER("Image") IMATCHES '%(explorer\.exe|chrome\.exe|firefox\.exe|msedge\.exe|outlook\.exe|winword\.exe|excel\.exe|powerpnt\.exe|notepad\.exe|code\.exe|teams\.exe|slack\.exe|svchost\.exe|dwm\.exe|taskhostw\.exe|ctfmon\.exe|runtimebroker\.exe|conhost\.exe|werfault\.exe)%')
    THEN 'Suspicious user32.dll load by non-standard process'
    WHEN LONG("EventCode") IN (12, 13, 14) AND (
      LOWER("TargetObject") IMATCHES '%(keylog|kbdfilter|keyboard.filter|keylogdrv|kbdhook)%'
      OR (LOWER("TargetObject") IMATCHES '%currentcontrolset%services%' AND LOWER("Details") IMATCHES '%(keylog|kbdfilter|keylogdrv|klog)%')
    ) THEN 'Keylogger-related registry modification'
    WHEN LONG("EventCode") = 11
      AND LOWER("TargetFilename") IMATCHES '%(keylog|keystroke|klog|keycap|keyrecord|keyspy|keyboard_log|input_capture)%'
    THEN 'Keylogger-related file creation'
    WHEN LONG("EventCode") = 7045
      AND LOWER("ServiceFileName") IMATCHES '%(keylog|keystroke|kbdfilter|keylogdrv|klog)%'
    THEN 'Keylogger-related service installation'
    ELSE 'Unknown'
  END AS "Detection Reason"
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (143, 382, 384)
  AND starttime > NOW() - 86400000
  AND (
    /* Sysmon EID 1 - Process Create with keylogger indicators */
    (LONG("EventCode") = 1 AND (
      LOWER("CommandLine") IMATCHES '%(getkeystate|getasynckeystate|setwindowshookex|wh_keyboard|wh_keyboard_ll|getkeyboardstate|registerhotkey|callnexthookex)%'
      OR LOWER("Image") IMATCHES '%(keylog|keystroke|klog|keycap|keyrecord|keyspy|kbdlog|keyboard_log|input_capture)%'
    ))
    /* Sysmon EID 7 - Image Load: user32.dll by suspicious process */
    OR (LONG("EventCode") = 7
      AND LOWER("ImageLoaded") IMATCHES '%user32.dll%'
      AND NOT LOWER("Image") IMATCHES '%(explorer\.exe|chrome\.exe|firefox\.exe|msedge\.exe|outlook\.exe|winword\.exe|excel\.exe|powerpnt\.exe|notepad\.exe|code\.exe|teams\.exe|slack\.exe|svchost\.exe|dwm\.exe|taskhostw\.exe|ctfmon\.exe|runtimebroker\.exe|conhost\.exe|werfault\.exe)%'
    )
    /* Sysmon EID 12/13/14 - Registry events with keylogger patterns */
    OR (LONG("EventCode") IN (12, 13, 14) AND (
      LOWER("TargetObject") IMATCHES '%(keylog|kbdfilter|keyboard.filter|keylogdrv|kbdhook)%'
      OR (LOWER("TargetObject") IMATCHES '%currentcontrolset%services%' AND LOWER("Details") IMATCHES '%(keylog|kbdfilter|keylogdrv|klog)%')
    ))
    /* Sysmon EID 11 - File Create with keylogger name */
    OR (LONG("EventCode") = 11
      AND LOWER("TargetFilename") IMATCHES '%(keylog|keystroke|klog|keycap|keyrecord|keyspy|keyboard_log|input_capture)%'
    )
    /* Security EID 7045 - Service Install with keylogger traits */
    OR (LONG("EventCode") = 7045
      AND LOWER("ServiceFileName") IMATCHES '%(keylog|keystroke|kbdfilter|keylogdrv|klog)%'
    )
  )
ORDER BY starttime DESC
high severity medium confidence

Detects keylogger installation and activity indicators across Windows Sysmon and Security event logs. Correlates five behavioral signals: keylogger API usage in process command lines (Sysmon 1), suspicious user32.dll DLL loads by non-standard processes (Sysmon 7), keylogger-pattern registry modifications and service entries (Sysmon 12/13/14 and Security 7045), and keylogger-named file creation (Sysmon 11). LOGSOURCETYPEID 143 covers Microsoft Windows Security Event Log, 382 covers Sysmon. Covers MITRE ATT&CK T1056.001.

Data Sources

IBM QRadar SIEMWindows Security Event Log (DSM)Microsoft Windows Sysmon (DSM)

Required Tables

events

False Positives & Tuning

  • Input method editors (IMEs) and third-party keyboard software (language input tools, keyboard layout managers) register keyboard hooks and write configuration files that may match naming patterns — particularly common in multilingual enterprise environments.
  • Password managers such as KeePass, 1Password, and Bitwarden use keyboard shortcut detection APIs (RegisterHotKey, GetAsyncKeyState) to implement global autofill shortcuts, generating API-pattern alerts without malicious intent.
  • Penetration testing and red team exercises using tools like Metasploit's keylogger module or commercial C2 frameworks may intentionally trigger all detection signals — validate against authorized engagements before escalating.
  • Custom enterprise monitoring agents or user activity monitoring (UAM) tools deployed by IT/HR teams may install keyboard capture services with names or service paths matching keylogger patterns as part of authorized endpoint monitoring.
Download portable Sigma rule (.yml)

Other platforms for T1056.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1SetWindowsHookEx Keyboard Hook via PowerShell

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with the inline C# code in CommandLine. Sysmon Event ID 7: Image Load for user32.dll initiated by powershell.exe. Sysmon Event ID 11: File Create for keylog_test.txt in %TEMP%. Security Event ID 4688 (if enabled) for powershell.exe process creation.

  2. Test 2GetAsyncKeyState Polling Loop

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with GetAsyncKeyState in CommandLine. Sysmon Event ID 7: Image Load for user32.dll by powershell.exe. Sysmon Event ID 11: File Create for keystate_test.txt in %TEMP%.

  3. Test 3Keylogger Filename and Registry Persistence Simulation

    Expected signal: Sysmon Event ID 11: File Create for keylogger.exe and klog_output.txt in %APPDATA%. Sysmon Event ID 13: Registry value set for HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeyCapture. Security Event ID 4688 for powershell.exe.

  4. Test 4Empire-style Python Keylogger on Linux

    Expected signal: Linux auditd: SYSCALL records for open('/dev/input/event0') if auditd rules are configured for /dev/input monitoring. Syslog: Process creation of python3 with suspicious inline code. File creation of /tmp/key_capture_test.log. If using Sysmon for Linux: ProcessCreate event for python3 with CommandLine containing 'dev/input' and 'struct.unpack'.

Last updated: 2026-04-16 Research depth: deep
References (11)

Unlock Pro Content

Get the full detection package for T1056.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1056Input Capture

Related Sub-techniques

T1056.002GUI Input CaptureT1056.003Web Portal CaptureT1056.004Credential API Hooking

Related Techniques

T1056Input CaptureT1056.004Credential API HookingT1003OS Credential DumpingT1555Credentials from Password StoresT1539Steal Web Session CookieT1113Screen CaptureT1547.001Registry Run Keys / Startup FolderT1543.003Windows ServiceT1070.001Clear Windows Event LogsT1027Obfuscated Files or Information

Same Tactic: Collection

Popular Detections