title: Input Capture (T1056)
id: df00tech-t1056
status: experimental
description: "Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture). Common sub-techniques include keylogging via Windows hooks (SetWindowsHookEx), GUI input capture via credential dialog spoofing, web portal capture via fake login pages, and credential API hooking via DLL injection into authentication processes. Threat actors including APT42, Storm-1811, and APT39 have leveraged these techniques, as have malware families such as InvisibleFerret, Chaes, Kobalos, and NPPSPY."
references:
  - https://attack.mitre.org/techniques/T1056/
  - https://df00tech.com/detections/T1056
author: df00tech
date: 2026/04/17
tags:
  - attack.t1056
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate accessibility software (screen readers, on-screen keyboards, Dragon NaturallySpeaking) that register low-level keyboard hooks via SetWindowsHookEx"
  - "Enterprise security products (DLP agents, PAM tools like CyberArk) that monitor credential entry as a security control — these load DLLs into credential processes"
  - "Password managers (1Password, Bitwarden, KeePass) that hook input fields for autofill functionality"
  - "Keyboard remapping utilities (AutoHotkey, SharpKeys, Microsoft PowerToys) that legitimately intercept and redirect keystrokes"
  - "Remote desktop and KVM software (TeamViewer, AnyDesk, VNC) that capture keyboard/mouse input for remote transmission"
  - "Custom enterprise single-sign-on (SSO) credential providers legitimately registered as network providers in HKLM\\SYSTEM\\CurrentControlSet\\Control\\NetworkProvider\\Order"
level: high