Detect Input Injection in Microsoft Sentinel
This detection identifies adversary attempts to simulate keyboard input to execute commands or manipulate applications on behalf of victims. Input injection manifests through HID (Human Interface Device) emulation via malicious USB devices, programmatic keystroke injection via Win32 APIs (SendInput, keybd_event, PostMessage with WM_KEYDOWN/WM_KEYUP), and monitoring of the Windows message loop to inject input into specific applications such as browsers. Key indicators include PowerShell or command interpreters spawning from interactive desktop processes (explorer.exe) with no visible user session context, rapid automated input sequences following USB device attachment, and browser processes receiving injected console commands characteristic of banking trojans like BackSwap that monitor for financial URLs and inject JavaScript via simulated keystrokes.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1674 Input Injection
- Canonical reference
- https://attack.mitre.org/techniques/T1674/
KQL Detection Query
let SuspiciousChildProcs = dynamic(["powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe"]);
let EncodedFlags = dynamic(["-EncodedCommand", "-enc ", "-e ", "IEX", "Invoke-Expression", "DownloadString", "DownloadFile", "FromBase64String", "-WindowStyle Hidden", "-NoProfile", "-NonInteractive"]);
// Detect shell processes spawned via simulated input from desktop/shell parents with obfuscated command lines
let HIDSpawnedShells = DeviceProcessEvents
| where TimeGenerated > ago(1d)
| where InitiatingProcessFileName in~ ("explorer.exe", "winlogon.exe", "userinit.exe", "sihost.exe", "taskhostw.exe")
| where FileName in~ (SuspiciousChildProcs)
| where ProcessCommandLine has_any (EncodedFlags)
| project TimeGenerated, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessId,
FileName, ProcessId, ProcessCommandLine, InitiatingProcessCommandLine,
FolderPath, SHA256, ReportId;
// Detect browser developer console or address bar manipulation patterns (BackSwap-style)
let BrowserInjection = DeviceProcessEvents
| where TimeGenerated > ago(1d)
| where InitiatingProcessFileName in~ ("chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe", "brave.exe")
| where FileName in~ ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe")
| project TimeGenerated, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessId,
FileName, ProcessId, ProcessCommandLine, FolderPath, SHA256, ReportId;
// Union both patterns
union HIDSpawnedShells, BrowserInjection
| extend InjectionType = iff(InitiatingProcessFileName in~ ("chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe", "brave.exe"), "BrowserInputInjection", "HIDKeystrokeInjection")
| order by TimeGenerated desc
| project TimeGenerated, DeviceName, AccountName, InjectionType, InitiatingProcessFileName,
InitiatingProcessId, FileName, ProcessId, ProcessCommandLine, SHA256, ReportIdDetects two key input injection patterns: (1) HID/USB keystroke injection where desktop shell processes (explorer.exe, winlogon.exe) spawn PowerShell or command interpreters with encoded/obfuscated arguments typical of malicious USB HID devices used by FIN7 and similar threat actors; (2) Browser-based input injection (BackSwap-style) where browsers spawn child processes through simulated keystroke sequences targeting the developer console or address bar. Correlates process creation lineage with command-line obfuscation indicators.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate IT automation tools (AutoHotkey, AutoIt, SikuliX) used for desktop automation workflows that spawn PowerShell from shell processes
- Software deployment systems (SCCM, PDQ Deploy, Ansible) that use explorer.exe as a parent during user-context deployments
- Accessibility software (Dragon NaturallySpeaking, voice control tools) that simulate keystrokes to interact with applications
- Developer tools and IDEs that programmatically open terminal sessions from browser-integrated development environments
- Browser automation frameworks (Selenium, Puppeteer in non-headless mode) during legitimate QA testing that trigger child process creation
Other platforms for T1674
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1PowerShell Keystroke Injection via SendKeys COM Object
Expected signal: Sysmon Event ID 1: powershell.exe process creation with '-Command' and 'SendKeys' in CommandLine; subsequent notepad.exe process creation from shell parent
- Test 2Simulated HID USB Attack - AutoHotkey Keystroke Script
Expected signal: Sysmon Event ID 1: AutoHotkey.exe spawning, followed by PowerShell process creation triggered by simulated Win+R keystrokes; DeviceProcessEvents showing explorer.exe as grandparent of PowerShell
- Test 3Browser Console JavaScript Injection via Clipboard and Simulated Keystrokes (BackSwap Simulation)
Expected signal: Sysmon Event ID 1 or DeviceProcessEvents: PowerShell process with SendKeys and AppActivate in command line; clipboard write event followed by browser F12 key injection; browser console activity
- Test 4USB Rubber Ducky Payload Simulation - Direct Win32 API Keystroke Injection
Expected signal: Sysmon Event ID 1: PowerShell with Add-Type and SendInput/DllImport in command or script content; DeviceImageLoadEvents for user32.dll loaded into PowerShell process; Security Event 4688 if process auditing enabled
References (9)
- https://attack.mitre.org/techniques/T1674/
- https://www.bleepingcomputer.com/news/security/backswap-malware-found-in-pirated-software/
- https://www.welivesecurity.com/2018/05/25/backswap-malware-empty-bank-accounts/
- https://www.bleepingcomputer.com/news/security/fin7-hackers-now-sending-malicious-usb-sticks-via-usps/
- https://www.ic3.gov/Media/News/2020/201210-1.pdf
- https://www.mandiant.com/resources/blog/fin7-shim-databases-persistence
- https://attack.mitre.org/groups/G0046/
- https://learn.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-sendinput
- https://learn.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-postmessagea
Unlock Pro Content
Get the full detection package for T1674 including response playbook, investigation guide, and atomic red team tests.