| Item |
Value |
| ID |
DET0102 |
| Version |
1.0 |
| Created |
21 October 2025 |
| Last Modified |
21 October 2025 |
Technique Detected: T1056 (Input Capture)
Analytics
Windows
AN0282
Monitors for abnormal process behavior and API calls like SetWindowsHookEx, GetAsyncKeyState, or device input polling commonly used for keystroke logging.
Log Sources
Mutable Elements
| Field |
Description |
| TargetImage |
Can be scoped to sensitive GUI processes like explorer.exe or winlogon.exe |
| TimeWindow |
Time threshold for detecting multiple suspicious accesses |
Linux
AN0283
Detects use of tools/scripts accessing input devices like /dev/input/* or evdev via suspicious processes lacking GUI context.
Log Sources
Mutable Elements
| Field |
Description |
| ProcessName |
Unusual process accessing device files |
| DevicePath |
Typically /dev/input/*, but tunable to exact endpoint config |
macOS
AN0284
Monitors for TCC-bypassing or unauthorized access to input services like IOHIDSystem or Quartz Event Services used in keylogging or screen monitoring.
Log Sources
Mutable Elements
| Field |
Description |
| Service |
com.apple.accessibility, com.apple.quartz, etc. depending on the API path used |
| ParentProcess |
Unusual parent/child pairings can indicate malicious injection |
Network Devices
AN0285
Detects web-based credential phishing by analyzing traffic to suspicious URLs that mimic login portals and POST credential content.
Log Sources
Mutable Elements
| Field |
Description |
| UserAgent |
Mismatched browser identifiers used by phishing kits |
| URL_Path |
Paths resembling known login forms but hosted on unknown domains |