MITRE ATT&CK T1056 Input Capture
Keystrokes and other forms of input are among the most valuable pieces of information attackers can capture from a compromised system. Whether it's stealing credentials, monitoring user activity, or executing further malicious actions, adversaries frequently use input capture techniques to gain an advantage over their targets. Attackers use input capture techniques to intercept user input, including keylogging, clipboard monitoring, and credential theft.
In this blog post, we explain the T1056 Input Capture technique of the MITRE ATT&CK® framework and explore how adversaries employ input capture techniques with real-world attack examples in detail.
|
|
Adversary Use of Input Capture
Adversaries use Input Capture to covertly intercept user inputs, such as keystrokes, mouse movements, and clipboard data, to extract sensitive information like credentials or personal data. Common techniques include keylogging, where attackers intercept keystrokes by using API hooking or directly accessing hardware buffers. Another method is GUI-based input capture, which involves creating fake system prompts or interfaces that deceive users into entering sensitive information. Clipboard monitoring is also employed to target copied data, such as passwords retrieved from password managers.
These methods are particularly effective in environments with insufficient monitoring and often operate stealthily, making detection challenging. To mitigate such attacks, organizations can monitor for unusual API behavior, implement application whitelisting to restrict unauthorized software, and use behavioral analytics to identify anomalies indicative of input capture activities.
Sub-techniques of T1056 Input Capture
T1056.001 Keylogging
Keylogging, or keystroke logging, is a method used to monitor and record a user's keystrokes on a device. It is often employed by adversaries to capture sensitive information such as usernames, passwords, and personal data without the user's knowledge. Keyloggers can be software-based, operating as hidden programs on a device, or hardware-based, physically attached to a keyboard or computer. These tools can capture data in real-time, storing or transmitting it to the attacker.
1. Hooking API Callback
Hooking API Callbacks involves intercepting the core routines that operating systems use to handle keyboard events. Modern operating systems rely on specific APIs to process user input, and adversaries may inject malicious code, such as a DLL, to "hook" these APIs—like GetMessage or PeekMessage on Windows—so that keystrokes are recorded before they reach the intended application.
Unlike Credential API Hooking, which targets credential-related APIs, this approach focuses on general keyboard processing functions, enabling attackers to capture everything typed, regardless of context.
Hooking API callbacks is popular because it reliably intercepts all keystrokes, can be easier to implement than kernel-level techniques, and remains relatively difficult to detect if adversaries hook well-known APIs within legitimate processes.
2. Reading Raw Keystroke Data from the Hardware Buffer
Reading Raw Keystroke Data from the Hardware Buffer is a technique where adversaries intercept keystrokes as they travel from the physical keyboard to the operating system. Because these signals pass through an interrupt or hardware buffer at a low level, malware—often in the form of a custom kernel driver or rootkit—can register itself to read the data directly. This allows attackers to capture raw keystrokes before any encryption or user-space protections take effect.
By positioning themselves so early in the data flow, adversaries make detection difficult for many security tools and ensure they collect every typed character, regardless of application or OS hooks.
3. Windows Registry Modification
Windows Registry Modifications is a technique used by adversaries to alter or create specific registry entries so that a keylogger component loads automatically at startup or whenever a user logs on. On Windows systems, registry keys like the ones below can be manipulated to trigger malicious processes or DLLs upon reboot or login.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
Attackers might also modify accessibility features like Sticky Keys or set a debugger that points to the keylogger, so the malware launches whenever certain keyboard shortcuts are pressed. This approach provides persistence—allowing the keylogger to run continually—and offers flexibility, as there are numerous registry locations that can be hijacked, complicating detection and removal efforts.
4. Modify System Image (on Network Devices)
Modify System Image (on Network Devices) is an advanced keylogging approach where adversaries embed malicious code directly into the operating system or firmware of devices like routers, switches, or specialized appliances.
By altering the device image, attackers can capture raw keystrokes during administrative sessions (e.g., SSH or console logins) and log credentials typed by high-value targets such as network administrators. They may inject code into a router's firmware to monitor SSH/Telnet sessions or install hooks in the OS to record console inputs.
This technique provides strong persistence, as the keylogging functionality survives reboots, and is particularly difficult to detect because many security tools focus on endpoints rather than the low-level operating systems of network devices.
Notable Usages of Keylogging Observed in the Wild
Keylogging was one of the most used sub-technique observed in 2024. For instance, in July 2024, security researchers identified a malware campaign distributing DarkVision RAT, a remote access tool with capabilities for both live and offline keylogging [1]. This malware enables attackers to monitor and record keystrokes, facilitating the theft of sensitive information.
In the third quarter of 2024, researchers uncovered a series of cyberattacks targeting Russian government agencies, attributed to the threat group known as TaxOff [2]. These attacks featured the use of the Trinper backdoor, a highly sophisticated malware engineered for espionage and maintaining long-term access to compromised systems.
A critical component of Trinper is the BgJobKeylogger class, responsible for intercepting keystrokes within its dedicated thread. This class captures user inputs and stores them in a deque (double-ended queue), facilitating efficient data management. Additionally, clipboard data is collected and maintained in an unordered map, allowing the malware to monitor and record both keystrokes and copied content.
BOOL result; // eax |
By implementing these functionalities, Trinper enables attackers to gather confidential information from compromised systems, including sensitive data entered via the keyboard and clipboard.
2. T1056.002 GUI Input Capture
GUI Input Capture is a technique where adversaries mimic operating system prompts to deceive users into providing credentials. These fake prompts closely resemble legitimate ones, such as those for software installations or privilege elevation. Attackers often use tools like PowerShell, AppleScript, or Unix Shell scripts to create convincing interfaces. They may also replicate authentication requests from browsers or email clients to appear more trustworthy.
Adversaries exploit GUI Input Capture by imitating common operating system components to trick users into providing credentials. For instance, when legitimate tasks require elevated privileges, operating systems typically prompt users for authentication. Adversaries replicate this functionality, creating fake prompts that appear genuine, such as fake installers requesting additional access or fraudulent malware removal tools. These prompts can be crafted using scripting languages like PowerShell, AppleScript, or Unix Shell scripts. On Linux, attackers may use malicious shell scripts or command-line tools to launch credential-harvesting dialog boxes.
Additionally, adversaries may mimic software authentication requests from browsers or email clients. By combining these fake prompts with user activity monitoring, they can strategically time spoofed requests during sensitive operations, enhancing their success in stealing credentials.
There are many proofs of GUI input capture being used in the wild. In the DeceptionAds campaign identified in 2024, adversaries employed a sophisticated GUI Input Capture technique to distribute the Lumma Stealer malware [3]. They utilized the Monetag ad network to deliver pop-up advertisements across numerous websites, particularly targeting users of pirate streaming and software platforms. These ads redirected users to deceptive CAPTCHA verification pages, which appeared legitimate but were designed to deceive. Upon visiting these pages, a JavaScript snippet covertly copied a malicious PowerShell command to the user's clipboard. The page then instructed users to paste this command into their system's Run dialog to verify they were not bots:
Executing the command initiated the download and installation of the Lumma Stealer malware, compromising the user's system.
Another example is from MacStealer's methodology where the adversaries employ osascript to execute AppleScript code inline [4]. This generates a deceptively simple yet persuasive dialog box. For instance, an attacker might execute the following command:
osascript -e 'display dialog "MacOS wants to access the System Preferences." with title "System Preferences" with icon caution default answer "" with hidden answer' |
This script creates a pop-up dialog designed to resemble a legitimate macOS system prompt. The crafted message, "macOS wants to access the System Preferences," is paired with an authoritative title and a cautionary icon to instill a false sense of urgency.
The inclusion of a hidden text input field further reinforces the illusion of a routine security measure, subtly coaxing the user into entering their credentials.
3. T1056.003 Web Portal Capture
Web Portal Capture is a technique where adversaries modify web portals to intercept and steal user credentials. By injecting malicious code into login pages, they can capture data entered by unsuspecting users. This technique may be used during initial access attempts or post-compromise to maintain access using valid credentials. It relies on the ability to alter portal files or inject scripts into web applications.
Adversaries leverage this technique by installing malicious code on externally facing portals, such as VPN login pages, to steal user credentials. The modified code intercepts and logs credentials entered by users while still allowing them to log in, minimizing suspicion. This technique can be used post-compromise, where adversaries already have administrative access, as a backup mechanism to maintain access via valid accounts and external remote services. Alternatively, it can be part of the initial compromise, exploiting vulnerabilities in externally facing web services to inject malicious scripts. This allows adversaries to establish or retain unauthorized access to a network.
In January 2024, it was identified that adversaries exploited two zero-day vulnerabilities in the Ivanti Connect Secure VPN to conduct credential harvesting through Web Portal Capture technique [5]. The attackers exploited an authentication bypass (CVE-2023-46805) and a command injection flaw (CVE-2024-21887) to gain unauthorized remote code execution access. Leveraging this access, they modified a legitimate JavaScript file associated with the Web SSL VPN login process. The altered script intercepted user credentials entered during the login process and transmitted them to an attacker-controlled domain.
Following the initial attacks, multiple threat groups began mass exploitation of these vulnerabilities [6], deploying custom malware to further their espionage activities. This widespread exploitation underscores the critical nature of securing web portals against such credential harvesting techniques.
4. T1056.004 Credential API Hooking
Credential API Hooking is a method where attackers intercept system API calls to capture authentication data like usernames and passwords. By modifying or redirecting API functions, they extract sensitive credentials directly from applications. Techniques include IAT hooking and inline hooking, allowing precise targeting of authentication processes. This covert method bypasses traditional defenses and enables discreet credential theft.
Adversaries utilize Credential API Hooking to intercept specific operating system API functions that handle authentication data, such as usernames and passwords. By redirecting these API calls, attackers can extract sensitive information directly from applications without user awareness. This method is more precise than general keylogging, as it targets particular authentication functions. Common implementation techniques include:
Hook Procedures
Hook procedures are used by adversaries to intercept events generated by system operations, including keystrokes, mouse clicks, and system messages. These hooks enable malicious code execution in response to designated triggers.
In Windows, the hook mechanism intercepts message traffic before it reaches a target window procedure and can be chained for broad coverage. It is commonly installed via SetWindowsHookEx with WH_KEYBOARD to capture key events or WH_MOUSE to observe mouse actions and dynamic event streams [7].
For instance, the malware sample "PDFSuperHero.exe*" is known to install both global keyboard and mouse hooks, enabling it to monitor user inputs extensively.
SHA-256*: bdeec81ab5620851b5fbac50df088985b21ef734577cce98feb0407de30d1c9f |
This method is especially potent for surveilling targeted actions, such as password input in a specific window or application, granting adversaries access to sensitive data without alerting the user.
Import Address Table (IAT) Hooking
Import Address Table (IAT) Hooking is a technique used in Windows applications to intercept and manipulate function calls by altering the Import Address Table (IAT). The IAT is a critical data structure in a program's memory that stores pointers to functions imported from dynamic link libraries (DLLs). These pointers allow the application to call external functions during runtime, such as displaying a notification or processing data.
Under normal circumstances, when a program calls a function like DisplayAlert, it queries the IAT to find the function's address and then executes the corresponding code in the associated DLL, such as syslib.dll. However, in IAT hooking, the function pointer in the IAT is replaced with the address of a custom function. This modification redirects the execution flow so that when the program calls DisplayAlert, it instead executes the attacker's custom code. For example, a malicious actor might replace the pointer for DisplayAlert with a rogue function named interceptedAlert [8]. This rogue function could execute additional malicious actions, such as logging sensitive data, before optionally calling the original DisplayAlert function to maintain the program's expected behavior. This allows the hook to remain covert while manipulating the program's functionality.
IAT hooking is commonly used by malware to intercept API calls, alter program behavior, and hide malicious activities. However, it's important to note that modern Windows operating systems have implemented security measures to protect the IAT from unauthorized modifications [9]. For instance, the IAT is now write-protected to prevent such tampering. However, certain processes, like delay-loaded imports, may temporarily modify the IAT during their operations. These security measures aim to make it more challenging for attackers to exploit IAT hooking techniques.
Ready to Simulate Real-World Threats From Red Report 2025?
References
[1] "Website." Available: https://www.hendryadrian.com/efficient-technical-analysis-of-darkvision-rat/
[2] "TaxOff: um, you've got a backdoor." https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/taxoff-um-you-ve-got-a-backdoor
[3] B. Toulas, "Malicious ads push Lumma infostealer via fake CAPTCHA pages," BleepingComputer. https://www.bleepingcomputer.com/news/security/malicious-ads-push-lumma-infostealer-via-fake-captcha-pages/
[4] "AppleScript," Red Canary. https://redcanary.com/threat-detection-report/techniques/applescript/
[5] S. Adair, "Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN," Volexity. https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/
[6] S. Gatlan, "Ivanti Connect Secure zero-days now under mass exploitation," BleepingComputer. https://www.bleepingcomputer.com/news/security/ivanti-connect-secure-zero-days-now-under-mass-exploitation/
[7] "Computer Security Course Content Week 9: Malware." Available: https://people.cs.rutgers.edu/~pxk/419/notes/pdf/09-malware.pdf
[8] "Import Adress Table (IAT) Hooking." Available: https://www.ired.team/offensive-security/code-injection-process-injection/import-adress-table-iat-hooking
[9] R. Chen, "The Import Address Table is now write-protected, and what that means for rogue patching," The Old New Thing. https://devblogs.microsoft.com/oldnewthing/20221006-07/?p=107257