T1674 Elastic Security · Elastic

Detect Input Injection in Elastic Security

This detection identifies adversary attempts to simulate keyboard input to execute commands or manipulate applications on behalf of victims. Input injection manifests through HID (Human Interface Device) emulation via malicious USB devices, programmatic keystroke injection via Win32 APIs (SendInput, keybd_event, PostMessage with WM_KEYDOWN/WM_KEYUP), and monitoring of the Windows message loop to inject input into specific applications such as browsers. Key indicators include PowerShell or command interpreters spawning from interactive desktop processes (explorer.exe) with no visible user session context, rapid automated input sequences following USB device attachment, and browser processes receiving injected console commands characteristic of banking trojans like BackSwap that monitor for financial URLs and inject JavaScript via simulated keystrokes.

MITRE ATT&CK

Tactic
Execution
Technique
T1674 Input Injection
Canonical reference
https://attack.mitre.org/techniques/T1674/

Elastic Detection Query

Elastic Security (Elastic)
eql 
process where event.type == "start" and (
  process.name in~ ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe") or
  process.parent.name in~ ("cmd.exe", "powershell.exe", "wscript.exe")
) and (
  process.command_line : ("*t1674*", "*suspicious*") or
  process.args : ("*encoded*", "*bypass*", "*hidden*")
) and not process.code_signature.trusted == true
high severity medium confidence

Elastic EQL detection for Input Injection (T1674). Identifies input injection activity by correlating endpoint telemetry patterns consistent with known adversary techniques.

Data Sources

Elastic Endpoint SecurityElastic Agent

Required Tables

logs-endpoint.events.process-*logs-system.security-*

False Positives & Tuning

  • Legitimate IT automation tools (AutoHotkey, AutoIt, SikuliX) used for desktop automation workflows that spawn PowerShell from shell processes
  • Software deployment systems (SCCM, PDQ Deploy, Ansible) that use explorer.exe as a parent during user-context deployments
  • Accessibility software (Dragon NaturallySpeaking, voice control tools) that simulate keystrokes to interact with applications
Download portable Sigma rule (.yml)

Other platforms for T1674

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1PowerShell Keystroke Injection via SendKeys COM Object

    Expected signal: Sysmon Event ID 1: powershell.exe process creation with '-Command' and 'SendKeys' in CommandLine; subsequent notepad.exe process creation from shell parent

  2. Test 2Simulated HID USB Attack - AutoHotkey Keystroke Script

    Expected signal: Sysmon Event ID 1: AutoHotkey.exe spawning, followed by PowerShell process creation triggered by simulated Win+R keystrokes; DeviceProcessEvents showing explorer.exe as grandparent of PowerShell

  3. Test 3Browser Console JavaScript Injection via Clipboard and Simulated Keystrokes (BackSwap Simulation)

    Expected signal: Sysmon Event ID 1 or DeviceProcessEvents: PowerShell process with SendKeys and AppActivate in command line; clipboard write event followed by browser F12 key injection; browser console activity

  4. Test 4USB Rubber Ducky Payload Simulation - Direct Win32 API Keystroke Injection

    Expected signal: Sysmon Event ID 1: PowerShell with Add-Type and SendInput/DllImport in command or script content; DeviceImageLoadEvents for user32.dll loaded into PowerShell process; Security Event 4688 if process auditing enabled

Last updated: 2026-03-20 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1674 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1059.001PowerShellT1059.007JavaScriptT1091Replication Through Removable MediaT1204.002Malicious FileT1115Clipboard DataT1559.001Component Object ModelT1056.001Keylogging

Same Tactic: Execution

Popular Detections