T1056.001 Microsoft Sentinel · KQL

Detect Keylogging in Microsoft Sentinel

Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is commonly used when OS credential dumping techniques are ineffective, and may require monitoring a system for a substantial period before credentials are captured. Techniques include API hooking (SetWindowsHookEx, GetAsyncKeyState), reading hardware buffers, registry modifications, and custom drivers. This detection focuses on behavioral indicators of keylogger installation and activity on Windows systems.

MITRE ATT&CK

Tactic
Collection Credential Access
Technique
T1056 Input Capture
Sub-technique
T1056.001 Keylogging
Canonical reference
https://attack.mitre.org/techniques/T1056/001/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let KeyloggerAPIs = dynamic([
  "SetWindowsHookEx", "SetWindowsHookExA", "SetWindowsHookExW",
  "GetAsyncKeyState", "GetKeyState", "GetKeyboardState",
  "RegisterHotKey", "CallNextHookEx",
  "WH_KEYBOARD", "WH_KEYBOARD_LL"
]);
let SuspiciousKeyloggerFiles = dynamic([
  "keylog", "keystroke", "klog", "keycap", "keyrecord",
  "keyspy", "keyboard_log", "input_capture"
]);
let KeyloggerDriverPatterns = dynamic([
  "keyboard filter", "kbdfilter", "keylogdrv", "kbdhook"
]);
// Detect suspicious DLL loads indicative of keyboard hooking
let DLLHookLoads = DeviceImageLoadEvents
| where Timestamp > ago(24h)
| where FileName =~ "user32.dll" and InitiatingProcessFileName !in~ (
    "explorer.exe", "chrome.exe", "firefox.exe", "msedge.exe",
    "outlook.exe", "winword.exe", "excel.exe", "powerpnt.exe",
    "notepad.exe", "code.exe", "teams.exe", "slack.exe",
    "svchost.exe", "dwm.exe", "taskhostw.exe"
  )
| extend Reason = "Suspicious user32.dll load by unusual process"
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, FileName, Reason;
// Detect processes with keylogger-related strings in command line
let SuspiciousCmdLine = DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (KeyloggerAPIs)
    or FileName has_any (SuspiciousKeyloggerFiles)
    or FolderPath has_any (SuspiciousKeyloggerFiles)
| extend Reason = "Process with keylogger API or filename pattern"
| project Timestamp, DeviceName, AccountName=AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessCommandLine, FileName, FolderPath, Reason;
// Detect service installations with keylogger characteristics
let SuspiciousServices = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services"
| where RegistryValueName =~ "ImagePath" or RegistryValueName =~ "Description"
| where RegistryValueData has_any (KeyloggerDriverPatterns)
    or RegistryValueData has_any (SuspiciousKeyloggerFiles)
| extend Reason = "Keylogger-related service registry entry"
| project Timestamp, DeviceName, AccountName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine, Reason;
// Detect suspicious file creation with keylogger-related names
let SuspiciousFiles = DeviceFileEvents
| where Timestamp > ago(24h)
| where FileName has_any (SuspiciousKeyloggerFiles)
    or FolderPath has_any (SuspiciousKeyloggerFiles)
| extend Reason = "File creation with keylogger-related name"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine, Reason;
// Union and surface results
DLLHookLoads
| union SuspiciousCmdLine
| union SuspiciousServices
| union SuspiciousFiles
| sort by Timestamp desc
high severity medium confidence

Detects keylogger installation and activity indicators across multiple MDE tables. Covers suspicious user32.dll loads by unusual processes (keyboard hook API), processes referencing keylogger-related API names, keylogger-associated filename patterns, suspicious driver/service registry entries, and keylogger-related file creation. Unions results from DeviceImageLoadEvents, DeviceProcessEvents, DeviceRegistryEvents, and DeviceFileEvents for broad coverage.

Data Sources

Process: Process CreationImage: Image LoadWindows Registry: Registry Value ModificationFile: File CreationMicrosoft Defender for Endpoint

Required Tables

DeviceProcessEventsDeviceImageLoadEventsDeviceRegistryEventsDeviceFileEvents

False Positives & Tuning

  • Legitimate accessibility software (e.g., Dragon NaturallySpeaking, screen readers like JAWS, NVDA) that use keyboard hook APIs for input monitoring
  • Password managers and macro utilities (AutoHotkey, Logitech G Hub, Razer Synapse) that legitimately hook keyboard input for hotkeys
  • Security testing tools and endpoint security products that monitor keyboard input as part of behavior analysis
  • Remote desktop and virtual machine software (VMware, VirtualBox, AnyDesk, TeamViewer) that intercept keyboard input for session relay
Download portable Sigma rule (.yml)

Other platforms for T1056.001

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1SetWindowsHookEx Keyboard Hook via PowerShell

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with the inline C# code in CommandLine. Sysmon Event ID 7: Image Load for user32.dll initiated by powershell.exe. Sysmon Event ID 11: File Create for keylog_test.txt in %TEMP%. Security Event ID 4688 (if enabled) for powershell.exe process creation.

  2. Test 2GetAsyncKeyState Polling Loop

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with GetAsyncKeyState in CommandLine. Sysmon Event ID 7: Image Load for user32.dll by powershell.exe. Sysmon Event ID 11: File Create for keystate_test.txt in %TEMP%.

  3. Test 3Keylogger Filename and Registry Persistence Simulation

    Expected signal: Sysmon Event ID 11: File Create for keylogger.exe and klog_output.txt in %APPDATA%. Sysmon Event ID 13: Registry value set for HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeyCapture. Security Event ID 4688 for powershell.exe.

  4. Test 4Empire-style Python Keylogger on Linux

    Expected signal: Linux auditd: SYSCALL records for open('/dev/input/event0') if auditd rules are configured for /dev/input monitoring. Syslog: Process creation of python3 with suspicious inline code. File creation of /tmp/key_capture_test.log. If using Sysmon for Linux: ProcessCreate event for python3 with CommandLine containing 'dev/input' and 'struct.unpack'.

Last updated: 2026-04-16 Research depth: deep
References (11)

Unlock Pro Content

Get the full detection package for T1056.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1056Input Capture

Related Sub-techniques

T1056.002GUI Input CaptureT1056.003Web Portal CaptureT1056.004Credential API Hooking

Related Techniques

T1056Input CaptureT1056.004Credential API HookingT1003OS Credential DumpingT1555Credentials from Password StoresT1539Steal Web Session CookieT1113Screen CaptureT1547.001Registry Run Keys / Startup FolderT1543.003Windows ServiceT1070.001Clear Windows Event LogsT1027Obfuscated Files or Information

Same Tactic: Collection

Popular Detections