Detect Input Capture in Google Chronicle
Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture). Common sub-techniques include keylogging via Windows hooks (SetWindowsHookEx), GUI input capture via credential dialog spoofing, web portal capture via fake login pages, and credential API hooking via DLL injection into authentication processes. Threat actors including APT42, Storm-1811, and APT39 have leveraged these techniques, as have malware families such as InvisibleFerret, Chaes, Kobalos, and NPPSPY.
MITRE ATT&CK
- Tactic
- Collection Credential Access
- Technique
- T1056 Input Capture
- Canonical reference
- https://attack.mitre.org/techniques/T1056/
YARA-L Detection Query
rule t1056_input_capture_network_provider_registration {
meta:
author = "df00tech"
description = "Detects Network Provider DLL registration (NPPSPY technique) — T1056 Input Capture"
mitre_attack_tactic = "Collection, Credential Access"
mitre_attack_technique = "T1056"
severity = "HIGH"
priority = "HIGH"
events:
$reg.metadata.event_type = "REGISTRY_MODIFICATION"
(
re.regex($reg.target.registry.registry_key, `(?i).*SYSTEM\\CurrentControlSet\\Control\\NetworkProvider\\Order.*`)
or re.regex($reg.target.registry.registry_key, `(?i).*SYSTEM\\CurrentControlSet\\Services\\.*\\NetworkProvider.*`)
)
not re.regex($reg.principal.process.file.full_path, `(?i).*(services\.exe|svchost\.exe|msiexec\.exe|TrustedInstaller\.exe)$`)
condition:
$reg
}
rule t1056_input_capture_suspicious_dll_in_credential_process {
meta:
author = "df00tech"
description = "Detects suspicious non-system DLL loaded into credential/authentication processes — T1056 Input Capture"
mitre_attack_tactic = "Collection, Credential Access"
mitre_attack_technique = "T1056"
severity = "HIGH"
priority = "HIGH"
events:
$load.metadata.event_type = "PROCESS_MODULE_LOAD"
re.regex($load.principal.process.file.full_path, `(?i).*(winlogon\.exe|lsass\.exe|LogonUI\.exe|consent\.exe|credui\.exe)$`)
not re.regex($load.target.process.file.full_path, `(?i)^(C:\\Windows\\System32\\|C:\\Windows\\SysWOW64\\|C:\\Program Files\\|C:\\Program Files \(x86\)\\).*`)
re.regex($load.target.process.file.full_path, `(?i)\.dll$`)
condition:
$load
}
rule t1056_input_capture_api_or_tool {
meta:
author = "df00tech"
description = "Detects process creation referencing input capture APIs or known keylogger tool names — T1056 Input Capture"
mitre_attack_tactic = "Collection, Credential Access"
mitre_attack_technique = "T1056"
severity = "MEDIUM"
priority = "MEDIUM"
events:
$proc.metadata.event_type = "PROCESS_LAUNCH"
(
re.regex($proc.target.process.command_line, `(?i).*(SetWindowsHookEx|GetAsyncKeyState|GetKeyState|WH_KEYBOARD_LL|WH_MOUSE_LL|pyWinhook|pynput|Get-Clipboard|keyboard\.hook|InputCapture).*`)
or re.regex($proc.target.process.file.full_path, `(?i).*(keylog|keyscan|hookdll|inputcap|credcap).*`)
)
condition:
$proc
}
rule t1056_input_capture_remote_thread_credential_process {
meta:
author = "df00tech"
description = "Detects remote thread injection into credential and logon UI processes — T1056 Input Capture"
mitre_attack_tactic = "Defense Evasion, Credential Access"
mitre_attack_technique = "T1056"
severity = "CRITICAL"
priority = "CRITICAL"
events:
$inj.metadata.event_type = "PROCESS_INJECTION"
re.regex($inj.target.process.file.full_path, `(?i).*(winlogon\.exe|LogonUI\.exe|credui\.exe|consent\.exe)$`)
condition:
$inj
}
rule t1056_input_capture_compound_signal {
meta:
author = "df00tech"
description = "Compound rule: correlated Input Capture signals on same host within 1 hour — T1056 Input Capture high-confidence"
mitre_attack_tactic = "Collection, Credential Access"
mitre_attack_technique = "T1056"
severity = "CRITICAL"
priority = "CRITICAL"
events:
$reg.metadata.event_type = "REGISTRY_MODIFICATION"
re.regex($reg.target.registry.registry_key, `(?i).*NetworkProvider.*`)
not re.regex($reg.principal.process.file.full_path, `(?i).*(services\.exe|svchost\.exe|msiexec\.exe|TrustedInstaller\.exe)$`)
$load.metadata.event_type = "PROCESS_MODULE_LOAD"
re.regex($load.principal.process.file.full_path, `(?i).*(winlogon\.exe|lsass\.exe|LogonUI\.exe)$`)
not re.regex($load.target.process.file.full_path, `(?i)^C:\\Windows\\.*`)
$reg.principal.hostname = $load.principal.hostname
match:
$reg.principal.hostname over 1h
condition:
$reg and $load
}Five Chronicle YARA-L 2.0 rules for T1056 Input Capture: individual rules for Network Provider DLL registration (NPPSPY), suspicious non-system DLL loads into winlogon/lsass/credui, process creation with input capture API strings or known keylogger filenames, and remote thread injection into credential processes. A compound correlation rule fires when registry and DLL-load signals occur on the same host within one hour, indicating higher-confidence activity.
Data Sources
Required Tables
False Positives & Tuning
- EDR sensor updates or configuration changes trigger NetworkProvider registry modifications during agent installation rollouts
- Windows Defender Credential Guard configuration writes to NetworkProvider keys during Virtualization-Based Security setup
- Legitimate software installers (VPN clients, network authentication agents) register Network Provider DLLs, often via child processes other than msiexec
- Third-party authentication solutions (smart card middleware, biometric login software) load DLLs into LogonUI.exe during credential provider initialization
- Security research VMs with Sysmon instrumentation may generate false positives from debugging tools that load DLLs into system processes
Other platforms for T1056
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1NPPSPY Network Provider Registration (Credential Interception Setup)
Expected signal: Sysmon Event ID 12 (RegistryKeyCreate): TargetObject containing HKLM\SYSTEM\CurrentControlSet\Services\TestNPP. Sysmon Event ID 13 (RegistryValueSet): TargetObject containing NetworkProvider\Order with Details showing 'TestNPP' appended to ProviderOrder. Security Event ID 4657 (Registry value modification) if object access auditing is enabled. MDE DeviceRegistryEvents with ActionType=RegistryKeyCreated and RegistryKeyCreated for both the service key and NetworkProvider\Order.
- Test 2Low-Level Keyboard Hook via PowerShell PInvoke (SetWindowsHookEx WH_KEYBOARD_LL)
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'SetWindowsHookEx', 'WH_KEYBOARD_LL' or value '13', and 'Add-Type'. PowerShell ScriptBlock Log Event ID 4104 with the full PInvoke code including SetWindowsHookEx. MDE DeviceProcessEvents with ProcessCommandLine matching SetWindowsHookEx pattern.
- Test 3Clipboard Monitoring Loop with File Exfiltration Simulation
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-Clipboard', 'while', 'Start-Sleep', 'Add-Content', '-WindowStyle Hidden'. Sysmon Event ID 11 (File Create): cb_harvest.txt created in %TEMP%. MDE DeviceProcessEvents with ProcessCommandLine matching clipboard + loop pattern. MDE DeviceFileEvents showing file writes to TEMP directory.
- Test 4SSH Client Trojanization Simulation (Kobalos Pattern — Linux)
Expected signal: Auditd: file modification events on /usr/bin/ssh binary (syscall=rename or write). Syslog: file integrity monitoring alerts if AIDE/Tripwire/OSSEC is configured. If Linux auditd with file watches configured: SYSCALL records for rename/unlink on /usr/bin/ssh. Process execution telemetry showing /usr/bin/ssh spawning /tmp/ssh_real as child process. File creation event for /tmp/.ssh_capture.log.
- Test 5Python Keylogger via pynput (Cross-Platform)
Expected signal: Sysmon Event ID 1: Process Create for pip.exe (pynput installation) and python.exe (keylogger execution). CommandLine of python.exe containing 'pynput', 'keyboard', 'Listener', 'on_press'. Sysmon Event ID 7: Image loads for pynput DLL dependencies into python.exe. Network connection (Sysmon Event ID 3) from pip.exe to PyPI for package download during installation phase. MDE DeviceProcessEvents capturing both pip and python command lines.
References (14)
- https://attack.mitre.org/techniques/T1056/
- https://attack.mitre.org/techniques/T1056/001/
- https://attack.mitre.org/techniques/T1056/002/
- https://attack.mitre.org/techniques/T1056/003/
- https://attack.mitre.org/techniques/T1056/004/
- https://www.huntress.com/blog/credential-interception-via-nppspy
- https://learn.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-setwindowshookexw
- https://www.welivesecurity.com/2021/01/26/kobalos-complex-linux-threat-high-performance-computing-infrastructure/
- https://unit42.paloaltonetworks.com/contagious-interview-beavertail-invisibleferret/
- https://www.sentinelone.com/labs/metador-technical-appendix/
- https://www.cybereason.com/blog/research/chaes-hunting-the-prey
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md
- https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_credentials_stealing_via_network_provider.yml
- http://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdf
Unlock Pro Content
Get the full detection package for T1056 including response playbook, investigation guide, and atomic red team tests.