1. Home
  2. ATT&CK Techniques
  3. T1056.001 Keylogging

T1056.001 Keylogging

Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when OS Credential Dumping efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured. In order to increase the likelihood of capturing credentials quickly, an adversary may also perform actions such as clearing browser cookies to force users to reauthenticate to systems.(Citation: Talos Kimsuky Nov 2021)

Keylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes.(Citation: Adventures of a Keystroke) Some methods include:

  • Hooking API callbacks used for processing keystrokes. Unlike Credential API Hooking, this focuses solely on API functions intended for processing keystroke data.
  • Reading raw keystroke data from the hardware buffer.
  • Windows Registry modifications.
  • Custom drivers.
  • Modify System Image may provide adversaries with hooks into the operating system of network devices to read raw keystrokes for login sessions.(Citation: Cisco Blog Legacy Device Attacks)
View in MITRE ATT&CK®

Known Exploited Vulnerabilities Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CVE-2025-33053 Microsoft Windows External Control of File Name or Path Vulnerability secondary_impact T1056.001 Keylogging
Comments
By manipulating the working directory of Windows processes, attackers can utilize these valid processes and trick them into running arbitrary code from a WebDAV server. This has been done by using a phishing email with a malicious PDF document attached, leading to code execution, the creation of backdoors, the introduction of a keylogger onto the system, and data exfiltration via C2.
References
  1. https://research.checkpoint.com/2025/stealth-falcon-zero-day/

VERIS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
attribute.confidentiality.data_disclosure None related-to T1056.001 Keylogging

Azure Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
microsoft_sentinel Microsoft Sentinel technique_scores T1056.001 Keylogging
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which includes keylogging capabilities for both Windows and Linux and contains modules that leverage API hooking to carry out tasks, but does not address other procedures.
References
  1. https://learn.microsoft.com/en-us/azure/sentinel/overview
  2. https://learn.microsoft.com/en-us/azure/sentinel/hunting
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service technique_scores T1056.001 Keylogging
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via the Get-Keystrokes Exfiltration module on Windows, but does not address other procedures or platforms, and temporal factor is unknown, resulting in a Minimal score.
References
  1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-app-service-introduction