T1056.001 Splunk · SPL

Detect Keylogging in Splunk

Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is commonly used when OS credential dumping techniques are ineffective, and may require monitoring a system for a substantial period before credentials are captured. Techniques include API hooking (SetWindowsHookEx, GetAsyncKeyState), reading hardware buffers, registry modifications, and custom drivers. This detection focuses on behavioral indicators of keylogger installation and activity on Windows systems.

MITRE ATT&CK

Tactic
Collection Credential Access
Technique
T1056 Input Capture
Sub-technique
T1056.001 Keylogging
Canonical reference
https://attack.mitre.org/techniques/T1056/001/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Security")
| eval is_process_create=if(EventCode=1, 1, 0)
| eval is_image_load=if(EventCode=7, 1, 0)
| eval is_reg_event=if(EventCode IN (12,13,14), 1, 0)
| eval is_file_create=if(EventCode=11, 1, 0)
| eval is_service_install=if(EventCode=7045, 1, 0)

``` Process creation with keylogger indicators ```
| eval KeyloggerProcess=if(
    EventCode=1 AND (
      match(lower(CommandLine), "(getkeystate|getasynckeystate|setwwindowshookex|wh_keyboard|getkeyboardstate|registhotkey)") OR
      match(lower(Image), "(keylog|keystroke|klog|keycap|keyrecord|keyspy|kbdlog)")
    ), 1, 0)

``` Image loads - user32.dll by unusual processes ```
| eval SuspiciousHookLoad=if(
    EventCode=7 AND
    match(lower(ImageLoaded), "user32\.dll") AND
    NOT match(lower(Image), "(explorer\.exe|chrome\.exe|firefox\.exe|msedge\.exe|outlook\.exe|winword\.exe|excel\.exe|powerpnt\.exe|notepad\.exe|code\.exe|teams\.exe|slack\.exe|svchost\.exe|dwm\.exe|taskhostw\.exe|ctfmon\.exe|runtimebroker\.exe)"),
    1, 0)

``` Registry modifications for hook persistence or suspicious service ```
| eval SuspiciousRegistry=if(
    (EventCode IN (12,13,14)) AND (
      match(lower(TargetObject), "(keylog|keystroke|kbdfilter|keyboard.filter|keylogdrv)") OR
      (match(lower(TargetObject), "currentcontrolset\\\\services") AND match(lower(Details), "(keylog|kbdfilter|keylogdrv)"))
    ), 1, 0)

``` File creation with keylogger-related names ```
| eval SuspiciousFile=if(
    EventCode=11 AND
    match(lower(TargetFilename), "(keylog|keystroke|klog|keycap|keyrecord|keyspy|keyboard_log|input_capture)"),
    1, 0)

``` Windows Security - Service install with keylogger traits ```
| eval SuspiciousService=if(
    EventCode=7045 AND
    match(lower(ServiceFileName), "(keylog|keystroke|kbdfilter|keylogdrv|klog)"),
    1, 0)

| eval TotalScore=KeyloggerProcess + SuspiciousHookLoad + SuspiciousRegistry + SuspiciousFile + SuspiciousService
| where TotalScore > 0
| eval DetectionReason=mvappend(
    if(KeyloggerProcess=1, "Keylogger API/filename in process", null()),
    if(SuspiciousHookLoad=1, "Suspicious user32.dll load", null()),
    if(SuspiciousRegistry=1, "Suspicious registry modification", null()),
    if(SuspiciousFile=1, "Keylogger-related file created", null()),
    if(SuspiciousService=1, "Keylogger-related service installed", null())
  )
| eval DetectionReason=mvjoin(DetectionReason, " | ")
| table _time, host, User, EventCode, Image, CommandLine, ImageLoaded, TargetObject, TargetFilename, ServiceName, ServiceFileName, TotalScore, DetectionReason
| sort - _time
high severity medium confidence

Multi-event Sysmon and Windows Security Log detection for keylogger activity. Covers process creation with keylogger API references (GetAsyncKeyState, SetWindowsHookEx, WH_KEYBOARD), suspicious user32.dll loads by non-standard processes (Sysmon EID 7), registry modifications with keylogger-related strings (Sysmon EID 12/13/14), keylogger-named file creation (Sysmon EID 11), and suspicious service installations (Security EID 7045). A cumulative score field supports analyst triage prioritization.

Data Sources

Process: Process CreationImage: Image LoadWindows Registry: Registry Value ModificationFile: File CreationWindows Security Event LogSysmon

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/OperationalWinEventLog:Security

False Positives & Tuning

  • Legitimate accessibility software (e.g., Dragon NaturallySpeaking, screen readers like JAWS, NVDA) that use keyboard hook APIs for input monitoring
  • Password managers and macro utilities (AutoHotkey, Logitech G Hub, Razer Synapse) that legitimately hook keyboard input for hotkeys
  • Security testing tools and endpoint security products that monitor keyboard input as part of behavior analysis
  • Remote desktop and virtual machine software (VMware, VirtualBox, AnyDesk, TeamViewer) that intercept keyboard input for session relay
Download portable Sigma rule (.yml)

Other platforms for T1056.001

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1SetWindowsHookEx Keyboard Hook via PowerShell

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with the inline C# code in CommandLine. Sysmon Event ID 7: Image Load for user32.dll initiated by powershell.exe. Sysmon Event ID 11: File Create for keylog_test.txt in %TEMP%. Security Event ID 4688 (if enabled) for powershell.exe process creation.

  2. Test 2GetAsyncKeyState Polling Loop

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with GetAsyncKeyState in CommandLine. Sysmon Event ID 7: Image Load for user32.dll by powershell.exe. Sysmon Event ID 11: File Create for keystate_test.txt in %TEMP%.

  3. Test 3Keylogger Filename and Registry Persistence Simulation

    Expected signal: Sysmon Event ID 11: File Create for keylogger.exe and klog_output.txt in %APPDATA%. Sysmon Event ID 13: Registry value set for HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeyCapture. Security Event ID 4688 for powershell.exe.

  4. Test 4Empire-style Python Keylogger on Linux

    Expected signal: Linux auditd: SYSCALL records for open('/dev/input/event0') if auditd rules are configured for /dev/input monitoring. Syslog: Process creation of python3 with suspicious inline code. File creation of /tmp/key_capture_test.log. If using Sysmon for Linux: ProcessCreate event for python3 with CommandLine containing 'dev/input' and 'struct.unpack'.

Last updated: 2026-04-16 Research depth: deep
References (11)

Unlock Pro Content

Get the full detection package for T1056.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1056Input Capture

Related Sub-techniques

T1056.002GUI Input CaptureT1056.003Web Portal CaptureT1056.004Credential API Hooking

Related Techniques

T1056Input CaptureT1056.004Credential API HookingT1003OS Credential DumpingT1555Credentials from Password StoresT1539Steal Web Session CookieT1113Screen CaptureT1547.001Registry Run Keys / Startup FolderT1543.003Windows ServiceT1070.001Clear Windows Event LogsT1027Obfuscated Files or Information

Same Tactic: Collection

Popular Detections