title: Keylogging (T1056.001)
id: df00tech-t1056-001
status: experimental
description: "Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is commonly used when OS credential dumping techniques are ineffective, and may require monitoring a system for a substantial period before credentials are captured. Techniques include API hooking (SetWindowsHookEx, GetAsyncKeyState), reading hardware buffers, registry modifications, and custom drivers. This detection focuses on behavioral indicators of keylogger installation and activity on Windows systems."
references:
  - https://attack.mitre.org/techniques/T1056/001/
  - https://df00tech.com/detections/T1056.001
author: df00tech
date: 2026/04/16
tags:
  - attack.t1056.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate accessibility software (e.g., Dragon NaturallySpeaking, screen readers like JAWS, NVDA) that use keyboard hook APIs for input monitoring"
  - "Password managers and macro utilities (AutoHotkey, Logitech G Hub, Razer Synapse) that legitimately hook keyboard input for hotkeys"
  - Security testing tools and endpoint security products that monitor keyboard input as part of behavior analysis
  - "Remote desktop and virtual machine software (VMware, VirtualBox, AnyDesk, TeamViewer) that intercept keyboard input for session relay"
level: high