Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured.Keylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes.(Citation: Adventures of a Keystroke) Some methods include:
- Hooking API callbacks used for processing keystrokes. Unlike Credential API Hooking, this focuses solely on API functions intended for processing keystroke data.
- Reading raw keystroke data from the hardware buffer.
- Windows Registry modifications.
- Custom drivers.
Utilize PowerShell and external resource to capture keystrokes Payload Provided by PowerSploit
Upon successful execution, Powershell will execute Get-Keystrokes.ps1 and output to key.log.
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| filepath | Name of the local file, include path. | Path | $env:TEMP\key.log |
Set-Location $PathToAtomicsFolder
.\T1056.001\src\Get-Keystrokes.ps1 -LogPath #{filepath}Remove-Item $env:TEMP\key.log -ErrorAction Ignore