T1056 IBM QRadar · QRadar

Detect Input Capture in IBM QRadar

Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture). Common sub-techniques include keylogging via Windows hooks (SetWindowsHookEx), GUI input capture via credential dialog spoofing, web portal capture via fake login pages, and credential API hooking via DLL injection into authentication processes. Threat actors including APT42, Storm-1811, and APT39 have leveraged these techniques, as have malware families such as InvisibleFerret, Chaes, Kobalos, and NPPSPY.

MITRE ATT&CK

Tactic
Collection Credential Access
Technique
T1056 Input Capture
Canonical reference
https://attack.mitre.org/techniques/T1056/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
/* Signal 1: Network Provider Registry Key Modification (Sysmon EID 13) */
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  logsourcename(logsourceid) AS LogSource,
  "username" AS User,
  "TargetObject" AS RegistryKey,
  "Details" AS RegistryValue,
  "Image" AS InitiatingProcess,
  'NetworkProviderRegistration' AS SignalType,
  90 AS SeverityScore
FROM events
WHERE LOGSOURCETYPENAME(devicetype) = 'Microsoft Windows Security Event Log'
  AND qid = (SELECT qid FROM qidmap WHERE qidname = 'Sysmon - Registry value set' LIMIT 1)
  AND ("TargetObject" ILIKE '%\\SYSTEM\\CurrentControlSet\\Control\\NetworkProvider\\Order%'
       OR "TargetObject" ILIKE '%\\SYSTEM\\CurrentControlSet\\Services\\%\\NetworkProvider%')
  AND "Image" NOT ILIKE '%\\services.exe'
  AND "Image" NOT ILIKE '%\\svchost.exe'
  AND "Image" NOT ILIKE '%\\msiexec.exe'
  AND "Image" NOT ILIKE '%\\TrustedInstaller.exe'
  AND starttime > NOW() - 86400000

UNION ALL

/* Signal 2: Suspicious DLL Loaded into Credential Process (Sysmon EID 7) */
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  logsourcename(logsourceid) AS LogSource,
  "username" AS User,
  "ImageLoaded" AS RegistryKey,
  "Hashes" AS RegistryValue,
  "Image" AS InitiatingProcess,
  'SuspiciousDLLInCredentialProcess' AS SignalType,
  85 AS SeverityScore
FROM events
WHERE LOGSOURCETYPENAME(devicetype) = 'Microsoft Windows Security Event Log'
  AND eventid = 7
  AND ("Image" ILIKE '%\\winlogon.exe' OR "Image" ILIKE '%\\lsass.exe'
       OR "Image" ILIKE '%\\LogonUI.exe' OR "Image" ILIKE '%\\consent.exe'
       OR "Image" ILIKE '%\\credui.exe')
  AND "ImageLoaded" NOT ILIKE 'C:\\Windows\\System32\\%'
  AND "ImageLoaded" NOT ILIKE 'C:\\Windows\\SysWOW64\\%'
  AND "ImageLoaded" NOT ILIKE 'C:\\Program Files\\%'
  AND "ImageLoaded" NOT ILIKE 'C:\\Program Files (x86)\\%'
  AND starttime > NOW() - 86400000

UNION ALL

/* Signal 3: Input Capture API or Tool Invocation (Sysmon EID 1) */
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  logsourcename(logsourceid) AS LogSource,
  "username" AS User,
  "CommandLine" AS RegistryKey,
  "Image" AS RegistryValue,
  "ParentImage" AS InitiatingProcess,
  'InputCaptureAPIOrTool' AS SignalType,
  70 AS SeverityScore
FROM events
WHERE LOGSOURCETYPENAME(devicetype) = 'Microsoft Windows Security Event Log'
  AND eventid = 1
  AND ("CommandLine" ILIKE '%SetWindowsHookEx%' OR "CommandLine" ILIKE '%GetAsyncKeyState%'
       OR "CommandLine" ILIKE '%GetKeyState%' OR "CommandLine" ILIKE '%WH_KEYBOARD_LL%'
       OR "CommandLine" ILIKE '%WH_MOUSE_LL%' OR "CommandLine" ILIKE '%pyWinhook%'
       OR "CommandLine" ILIKE '%pynput%' OR "CommandLine" ILIKE '%Get-Clipboard%'
       OR "Image" ILIKE '%keylog%' OR "Image" ILIKE '%keyscan%'
       OR "Image" ILIKE '%inputcap%' OR "Image" ILIKE '%hookdll%')
  AND starttime > NOW() - 86400000

UNION ALL

/* Signal 4: Remote Thread into Credential Process (Sysmon EID 8) */
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  logsourcename(logsourceid) AS LogSource,
  "username" AS User,
  "TargetImage" AS RegistryKey,
  "StartFunction" AS RegistryValue,
  "SourceImage" AS InitiatingProcess,
  'RemoteThreadInCredentialProcess' AS SignalType,
  95 AS SeverityScore
FROM events
WHERE LOGSOURCETYPENAME(devicetype) = 'Microsoft Windows Security Event Log'
  AND eventid = 8
  AND ("TargetImage" ILIKE '%\\winlogon.exe' OR "TargetImage" ILIKE '%\\LogonUI.exe'
       OR "TargetImage" ILIKE '%\\credui.exe' OR "TargetImage" ILIKE '%\\consent.exe')
  AND starttime > NOW() - 86400000

ORDER BY SeverityScore DESC, EventTime DESC
high severity high confidence

AQL multi-signal detection for T1056 Input Capture using Sysmon event IDs 13 (registry), 7 (image load), 1 (process create), and 8 (remote thread). Covers NPPSPY-style Network Provider DLL registration, suspicious DLL injection into credential processes, input hook API invocation, and remote thread creation targeting authentication processes. Severity-scored union across all four signals.

Data Sources

IBM QRadar SIEMWindows Sysmon log sourceMicrosoft Windows Security Event Log

Required Tables

events

False Positives & Tuning

  • Enterprise security tools (CrowdStrike Falcon, Carbon Black, SentinelOne) create remote threads in system processes as part of their injection-based monitoring
  • Legitimate software deployment via SCCM or Intune may trigger registry modifications in NetworkProvider paths during network authentication component installation
  • Password manager extensions (LastPass, 1Password) may load helper DLLs into credential dialog processes on some Windows configurations
  • Windows updates and service pack installations modify NetworkProvider registry keys via services.exe and TrustedInstaller.exe (already excluded) but sibling processes may also trigger
  • IT monitoring tools using WMI or PowerShell remoting may invoke clipboard-related APIs in the context of automation scripts
Download portable Sigma rule (.yml)

Other platforms for T1056

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1NPPSPY Network Provider Registration (Credential Interception Setup)

    Expected signal: Sysmon Event ID 12 (RegistryKeyCreate): TargetObject containing HKLM\SYSTEM\CurrentControlSet\Services\TestNPP. Sysmon Event ID 13 (RegistryValueSet): TargetObject containing NetworkProvider\Order with Details showing 'TestNPP' appended to ProviderOrder. Security Event ID 4657 (Registry value modification) if object access auditing is enabled. MDE DeviceRegistryEvents with ActionType=RegistryKeyCreated and RegistryKeyCreated for both the service key and NetworkProvider\Order.

  2. Test 2Low-Level Keyboard Hook via PowerShell PInvoke (SetWindowsHookEx WH_KEYBOARD_LL)

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'SetWindowsHookEx', 'WH_KEYBOARD_LL' or value '13', and 'Add-Type'. PowerShell ScriptBlock Log Event ID 4104 with the full PInvoke code including SetWindowsHookEx. MDE DeviceProcessEvents with ProcessCommandLine matching SetWindowsHookEx pattern.

  3. Test 3Clipboard Monitoring Loop with File Exfiltration Simulation

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-Clipboard', 'while', 'Start-Sleep', 'Add-Content', '-WindowStyle Hidden'. Sysmon Event ID 11 (File Create): cb_harvest.txt created in %TEMP%. MDE DeviceProcessEvents with ProcessCommandLine matching clipboard + loop pattern. MDE DeviceFileEvents showing file writes to TEMP directory.

  4. Test 4SSH Client Trojanization Simulation (Kobalos Pattern — Linux)

    Expected signal: Auditd: file modification events on /usr/bin/ssh binary (syscall=rename or write). Syslog: file integrity monitoring alerts if AIDE/Tripwire/OSSEC is configured. If Linux auditd with file watches configured: SYSCALL records for rename/unlink on /usr/bin/ssh. Process execution telemetry showing /usr/bin/ssh spawning /tmp/ssh_real as child process. File creation event for /tmp/.ssh_capture.log.

  5. Test 5Python Keylogger via pynput (Cross-Platform)

    Expected signal: Sysmon Event ID 1: Process Create for pip.exe (pynput installation) and python.exe (keylogger execution). CommandLine of python.exe containing 'pynput', 'keyboard', 'Listener', 'on_press'. Sysmon Event ID 7: Image loads for pynput DLL dependencies into python.exe. Network connection (Sysmon Event ID 3) from pip.exe to PyPI for package download during installation phase. MDE DeviceProcessEvents capturing both pip and python command lines.

Last updated: 2026-04-17 Research depth: deep
References (14)

Unlock Pro Content

Get the full detection package for T1056 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (4)

Related Techniques

T1056.001KeyloggingT1056.002GUI Input CaptureT1056.003Web Portal CaptureT1056.004Credential API HookingT1003OS Credential DumpingT1055Process InjectionT1547.005Security Support ProviderT1113Screen CaptureT1115Clipboard DataT1557Adversary-in-the-Middle

Same Tactic: Collection

Popular Detections