Potential Keylogger Activity

Nov 2, 2023 · attack.collection attack.credential_access attack.t1056.001 ·

Detects PowerShell scripts that contains reference to keystroke capturing functions

Sigma rule (View on GitHub)

 1title: Potential Keylogger Activity
 2id: 965e2db9-eddb-4cf6-a986-7a967df651e4
 3status: test
 4description: Detects PowerShell scripts that contains reference to keystroke capturing functions
 5references:
 6    - https://twitter.com/ScumBots/status/1610626724257046529
 7    - https://www.virustotal.com/gui/file/d4486b63512755316625230e0c9c81655093be93876e0d80732e7eeaf7d83476/content
 8    - https://www.virustotal.com/gui/file/720a7ee9f2178c70501d7e3f4bcc28a4f456e200486dbd401b25af6da3b4da62/content
 9    - https://learn.microsoft.com/en-us/dotnet/api/system.windows.input.keyboard.iskeydown?view=windowsdesktop-7.0
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2023/01/04
12tags:
13    - attack.collection
14    - attack.credential_access
15    - attack.t1056.001
16logsource:
17    product: windows
18    category: ps_script
19    definition: 'Requirements: Script Block Logging must be enabled'
20detection:
21    selection:
22        ScriptBlockText|contains: '[Windows.Input.Keyboard]::IsKeyDown([System.Windows.Input.Key]::'
23    condition: selection
24falsepositives:
25    - Unknown
26level: medium

References

Something went wrong, but don’t fret — let’s give it another shot.

Read More
VirusTotal

VirusTotal

Read More
VirusTotal

VirusTotal

Read More
Keyboard.IsKeyDown(Key) Method (System.Windows.Input)

Determines whether the specified key is pressed.

Read More

Potential Keylogger Activity

Sigma rule (View on GitHub)

References

VirusTotal

VirusTotal

Keyboard.IsKeyDown(Key) Method (System.Windows.Input)

Related rules