Detect Keylogging in Sumo Logic CSE
Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is commonly used when OS credential dumping techniques are ineffective, and may require monitoring a system for a substantial period before credentials are captured. Techniques include API hooking (SetWindowsHookEx, GetAsyncKeyState), reading hardware buffers, registry modifications, and custom drivers. This detection focuses on behavioral indicators of keylogger installation and activity on Windows systems.
MITRE ATT&CK
- Tactic
- Collection Credential Access
- Technique
- T1056 Input Capture
- Sub-technique
- T1056.001 Keylogging
- Canonical reference
- https://attack.mitre.org/techniques/T1056/001/
Sumo Detection Query
(_sourceCategory=windows/sysmon OR _sourceCategory=windows/security OR _sourceCategory=endpoint/sysmon)
| where EventCode in ("1", "7", "11", "12", "13", "14", "7045")
/* Process creation with keylogger API or image name indicators - Sysmon EID 1 */
| eval keylogger_process = if(
EventCode = "1" and (
matches(toLowerCase(CommandLine), ".*(getkeystate|getasynckeystate|setwindowshookex|setwindowshookexw|setwindowshookexa|wh_keyboard|wh_keyboard_ll|getkeyboardstate|registerhotkey|callnexthookex).*") or
matches(toLowerCase(Image), ".*(keylog|keystroke|klog|keycap|keyrecord|keyspy|kbdlog|keyboard_log|input_capture).*")
),
1, 0
)
/* Suspicious user32.dll load by non-standard process - Sysmon EID 7 */
| eval suspicious_hook_load = if(
EventCode = "7" and
matches(toLowerCase(ImageLoaded), ".*user32\\.dll.*") and
not matches(toLowerCase(Image), ".*(explorer|chrome|firefox|msedge|outlook|winword|excel|powerpnt|notepad|code|teams|slack|svchost|dwm|taskhostw|ctfmon|runtimebroker|conhost|werfault)\\.exe.*"),
1, 0
)
/* Registry modification with keylogger service or hook patterns - Sysmon EID 12/13/14 */
| eval suspicious_registry = if(
EventCode in ("12", "13", "14") and (
matches(toLowerCase(TargetObject), ".*(keylog|kbdfilter|keyboard.filter|keylogdrv|kbdhook).*") or
(
matches(toLowerCase(TargetObject), ".*currentcontrolset.*services.*") and
matches(toLowerCase(Details), ".*(keylog|kbdfilter|keylogdrv|klog).*")
)
),
1, 0
)
/* File creation with keylogger-related name - Sysmon EID 11 */
| eval suspicious_file = if(
EventCode = "11" and
matches(toLowerCase(TargetFilename), ".*(keylog|keystroke|klog|keycap|keyrecord|keyspy|keyboard_log|input_capture).*"),
1, 0
)
/* Service installation with keylogger traits - Security EID 7045 */
| eval suspicious_service = if(
EventCode = "7045" and
matches(toLowerCase(ServiceFileName), ".*(keylog|keystroke|kbdfilter|keylogdrv|klog).*"),
1, 0
)
| eval total_score = keylogger_process + suspicious_hook_load + suspicious_registry + suspicious_file + suspicious_service
| where total_score > 0
| eval detection_reason = concat(
if(keylogger_process = 1, "[KEYLOGGER_API_OR_NAME] ", ""),
if(suspicious_hook_load = 1, "[SUSPICIOUS_USER32_LOAD] ", ""),
if(suspicious_registry = 1, "[KEYLOGGER_REGISTRY] ", ""),
if(suspicious_file = 1, "[KEYLOGGER_FILE_CREATED] ", ""),
if(suspicious_service = 1, "[KEYLOGGER_SERVICE_INSTALL] ", "")
)
| fields _messageTime, _sourceHost, User, EventCode, Image, CommandLine, ImageLoaded, TargetObject, TargetFilename, ServiceName, ServiceFileName, total_score, detection_reason
| sort by _messageTime descDetects keylogger installation and activity across Windows Sysmon and Security event data. Uses a multi-signal scoring approach: awards points for keylogger API patterns in process launches, suspicious user32.dll image loads by non-standard processes, keylogger-pattern registry modifications, keylogger-named file creation, and keylogger service installations. Any event scoring above zero is surfaced with labeled detection reasons. Covers MITRE ATT&CK T1056.001.
Data Sources
Required Tables
False Positives & Tuning
- Accessibility technology including screen readers (JAWS, NVDA), braille display drivers, and switch access software for users with disabilities relies on SetWindowsHookEx and related keyboard APIs — these are benign but will trigger the API pattern detection, especially in healthcare or government environments with accessibility requirements.
- Software development and testing tools such as UI test automation frameworks (Selenium, Appium Windows Driver, AutoIt), keyboard macro recorders, and input simulation libraries create processes and files with keyboard-capture naming conventions during legitimate test execution.
- Enterprise password managers and privileged access management (PAM) agents use keyboard hook APIs for global hotkeys and may create local credential files or registry entries with names loosely matching keylogger patterns (e.g., 'keyvault', 'keychain').
- Hardware vendor control software (Corsair iCUE, SteelSeries GG, Logitech Options) installs keyboard filter drivers and creates service entries that may match keylogger driver name patterns while performing legitimate RGB/macro management.
Other platforms for T1056.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1SetWindowsHookEx Keyboard Hook via PowerShell
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with the inline C# code in CommandLine. Sysmon Event ID 7: Image Load for user32.dll initiated by powershell.exe. Sysmon Event ID 11: File Create for keylog_test.txt in %TEMP%. Security Event ID 4688 (if enabled) for powershell.exe process creation.
- Test 2GetAsyncKeyState Polling Loop
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with GetAsyncKeyState in CommandLine. Sysmon Event ID 7: Image Load for user32.dll by powershell.exe. Sysmon Event ID 11: File Create for keystate_test.txt in %TEMP%.
- Test 3Keylogger Filename and Registry Persistence Simulation
Expected signal: Sysmon Event ID 11: File Create for keylogger.exe and klog_output.txt in %APPDATA%. Sysmon Event ID 13: Registry value set for HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeyCapture. Security Event ID 4688 for powershell.exe.
- Test 4Empire-style Python Keylogger on Linux
Expected signal: Linux auditd: SYSCALL records for open('/dev/input/event0') if auditd rules are configured for /dev/input monitoring. Syslog: Process creation of python3 with suspicious inline code. File creation of /tmp/key_capture_test.log. If using Sysmon for Linux: ProcessCreate event for python3 with CommandLine containing 'dev/input' and 'struct.unpack'.
References (11)
- https://attack.mitre.org/techniques/T1056/001/
- http://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdf
- https://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html
- https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
- https://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/
- https://www.cybereason.com/blog/research/powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor-for-espionage
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md
- https://learn.microsoft.com/en-us/windows/win32/winmsg/about-hooks
- https://learn.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-setwindowshookexw
- https://www.eset.com/int/about/newsroom/research/evasive-panda-apt-group-uses-supply-chain-attacks-to-target-tibetans/
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation
Unlock Pro Content
Get the full detection package for T1056.001 including response playbook, investigation guide, and atomic red team tests.