T1674 IBM QRadar · QRadar

Detect Input Injection in IBM QRadar

This detection identifies adversary attempts to simulate keyboard input to execute commands or manipulate applications on behalf of victims. Input injection manifests through HID (Human Interface Device) emulation via malicious USB devices, programmatic keystroke injection via Win32 APIs (SendInput, keybd_event, PostMessage with WM_KEYDOWN/WM_KEYUP), and monitoring of the Windows message loop to inject input into specific applications such as browsers. Key indicators include PowerShell or command interpreters spawning from interactive desktop processes (explorer.exe) with no visible user session context, rapid automated input sequences following USB device attachment, and browser processes receiving injected console commands characteristic of banking trojans like BackSwap that monitor for financial URLs and inject JavaScript via simulated keystrokes.

MITRE ATT&CK

Tactic
Execution
Technique
T1674 Input Injection
Canonical reference
https://attack.mitre.org/techniques/T1674/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
    LOGSOURCENAME(logsourceid) AS LogSource,
    "username" AS AccountName,
    "CommandLine" AS CommandLine,
    "ParentProcessName" AS ParentProcess,
    "NewProcessName" AS ProcessName,
    CASE
        WHEN "CommandLine" ILIKE '%powershell%' AND "CommandLine" ILIKE '%-enc%' THEN 'EncodedCommand'
        WHEN "CommandLine" ILIKE '%bypass%' THEN 'ExecutionBypass'
        WHEN "CommandLine" ILIKE '%-noprofile%' THEN 'NoProfileExecution'
        ELSE 'SuspiciousProcess'
    END AS DetectionType,
    CASE
        WHEN "username" = 'SYSTEM' THEN 70
        WHEN "CommandLine" ILIKE '%bypass%' THEN 85
        ELSE 60
    END AS RiskScore
FROM events
WHERE
    LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Universal DSM')
    AND eventid IN (4688, 1)
    AND ("NewProcessName" ILIKE '%powershell.exe%'
        OR "NewProcessName" ILIKE '%cmd.exe%'
        OR "NewProcessName" ILIKE '%wscript.exe%'
        OR "NewProcessName" ILIKE '%cscript.exe%'
        OR "NewProcessName" ILIKE '%mshta.exe%')
    AND RiskScore >= 60
ORDER BY EventTime DESC
LAST 1 HOURS
high severity medium confidence

IBM QRadar AQL detection for Input Injection (T1674). Queries QRadar event pipeline for indicators consistent with input injection adversary techniques using MITRE ATT&CK-aligned event categorization.

Data Sources

IBM QRadar SIEMWindows Security EventsEndpoint Agent

Required Tables

events

False Positives & Tuning

  • Legitimate IT automation tools (AutoHotkey, AutoIt, SikuliX) used for desktop automation workflows that spawn PowerShell from shell processes
  • Software deployment systems (SCCM, PDQ Deploy, Ansible) that use explorer.exe as a parent during user-context deployments
  • Accessibility software (Dragon NaturallySpeaking, voice control tools) that simulate keystrokes to interact with applications
Download portable Sigma rule (.yml)

Other platforms for T1674

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1PowerShell Keystroke Injection via SendKeys COM Object

    Expected signal: Sysmon Event ID 1: powershell.exe process creation with '-Command' and 'SendKeys' in CommandLine; subsequent notepad.exe process creation from shell parent

  2. Test 2Simulated HID USB Attack - AutoHotkey Keystroke Script

    Expected signal: Sysmon Event ID 1: AutoHotkey.exe spawning, followed by PowerShell process creation triggered by simulated Win+R keystrokes; DeviceProcessEvents showing explorer.exe as grandparent of PowerShell

  3. Test 3Browser Console JavaScript Injection via Clipboard and Simulated Keystrokes (BackSwap Simulation)

    Expected signal: Sysmon Event ID 1 or DeviceProcessEvents: PowerShell process with SendKeys and AppActivate in command line; clipboard write event followed by browser F12 key injection; browser console activity

  4. Test 4USB Rubber Ducky Payload Simulation - Direct Win32 API Keystroke Injection

    Expected signal: Sysmon Event ID 1: PowerShell with Add-Type and SendInput/DllImport in command or script content; DeviceImageLoadEvents for user32.dll loaded into PowerShell process; Security Event 4688 if process auditing enabled

Last updated: 2026-03-20 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1674 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1059.001PowerShellT1059.007JavaScriptT1091Replication Through Removable MediaT1204.002Malicious FileT1115Clipboard DataT1559.001Component Object ModelT1056.001Keylogging

Same Tactic: Execution

Popular Detections