Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when OS Credential Dumping efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured.
Keylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes.(Citation: Adventures of a Keystroke) Some methods include:
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
---|---|---|---|---|
action.malware.variety.Capture app data | Capture data from application or system process | related-to | T1056.001 | Input Capture: Keylogging |
attribute.confidentiality.data_disclosure | related-to | T1056.001 | Input Capture: Keylogging |