Skip to content

T1056 Input Capture

Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture).

Item Value
ID T1056
Sub-techniques T1056.001, T1056.002, T1056.003, T1056.004
Tactics TA0009, TA0006
Platforms Linux, Network, Windows, macOS
Permissions required Administrator, SYSTEM, User, root
Version 1.2
Created 31 May 2017
Last Modified 30 March 2023

Procedure Examples

ID Name Description
G0087 APT39 APT39 has utilized tools to capture mouse movements.7
S0631 Chaes Chaes has a module to perform any API hooking it desires.2
S0381 FlawedAmmyy FlawedAmmyy can collect mouse events.3
S0641 Kobalos Kobalos has used a compromised SSH client to capture the hostname, port, username and password used to establish an SSH connection from the compromised host.45
S1060 Mafalda Mafalda can conduct mouse event logging.6
S1059 metaMain metaMain can log mouse events.6

Detection

ID Data Source Data Component
DS0027 Driver Driver Load
DS0022 File File Modification
DS0009 Process OS API Execution
DS0024 Windows Registry Windows Registry Key Modification

References