Potential Keylogger Activity

Aug 12, 2024 · attack.collection attack.credential-access attack.t1056.001 ·

Detects PowerShell scripts that contains reference to keystroke capturing functions

Sigma rule (View on GitHub)

 1title: Potential Keylogger Activity
 2id: 965e2db9-eddb-4cf6-a986-7a967df651e4
 3status: test
 4description: Detects PowerShell scripts that contains reference to keystroke capturing functions
 5references:
 6    - https://twitter.com/ScumBots/status/1610626724257046529
 7    - https://www.virustotal.com/gui/file/d4486b63512755316625230e0c9c81655093be93876e0d80732e7eeaf7d83476/content
 8    - https://www.virustotal.com/gui/file/720a7ee9f2178c70501d7e3f4bcc28a4f456e200486dbd401b25af6da3b4da62/content
 9    - https://learn.microsoft.com/en-us/dotnet/api/system.windows.input.keyboard.iskeydown?view=windowsdesktop-7.0
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2023-01-04
12tags:
13    - attack.collection
14    - attack.credential-access
15    - attack.t1056.001
16logsource:
17    product: windows
18    category: ps_script
19    definition: 'Requirements: Script Block Logging must be enabled'
20detection:
21    selection:
22        ScriptBlockText|contains: '[Windows.Input.Keyboard]::IsKeyDown([System.Windows.Input.Key]::'
23    condition: selection
24falsepositives:
25    - Unknown
26level: medium

References

x.com

Read More
VirusTotal

VirusTotal

Read More
VirusTotal

VirusTotal

Read More
Keyboard.IsKeyDown(Key) Method (System.Windows.Input)

Determines whether the specified key is pressed.

Read More

Potential Keylogger Activity

Sigma rule (View on GitHub)

References

x.com

VirusTotal

VirusTotal

Keyboard.IsKeyDown(Key) Method (System.Windows.Input)

Related rules