T1674 Input Injection
Adversaries may simulate keystrokes on a victim’s computer by various means to perform any type of action on behalf of the user, such as launching the command interpreter using keyboard shortcuts, typing an inline script to be executed, or interacting directly with a GUI-based application. These actions can be preprogrammed into adversary tooling or executed through physical devices such as Human Interface Devices (HIDs).
For example, adversaries have used tooling that monitors the Windows message loop to detect when a user visits bank-specific URLs. If detected, the tool then simulates keystrokes to open the developer console or select the address bar, pastes malicious JavaScript from the clipboard, and executes it - enabling manipulation of content within the browser, such as replacing bank account numbers during transactions.13
Adversaries have also used malicious USB devices to emulate keystrokes that launch PowerShell, leading to the download and execution of malware from adversary-controlled servers.2
| Item | Value |
|---|---|
| ID | T1674 |
| Sub-techniques | |
| Tactics | TA0002 |
| Platforms | Linux, Windows, macOS |
| Version | 1.0 |
| Created | 27 March 2025 |
| Last Modified | 15 April 2025 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| G0046 | FIN7 | FIN7 has used malicious USBs to emulate keystrokes to launch PowerShell to download and execute malware from the adversary’s server.65 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1038 | Execution Prevention | Denylist scripting and use application control where appropriate. For example, PowerShell Constrained Language mode can be used to restrict access to sensitive or otherwise dangerous language elements such as those used to execute arbitrary Windows APIs or files (e.g., Add-Type).4 |
| M1034 | Limit Hardware Installation | Limit the use of USB devices and removable media within a network. |
References
-
Catalin Cimpanu. (2018, May 25). BackSwap Banking Trojan Uses Never-Before-Seen Techniques. Retrieved March 27, 2025. ↩
-
Ionut Ilascu. (2020, March 27). FBI: Hackers Sending Malicious USB Drives & Teddy Bears via USPS. Retrieved March 27, 2025. ↩
-
Michal Poslušný. (2018, May 25). BackSwap malware finds innovative ways to empty bank accounts. Retrieved March 27, 2025. ↩
-
PowerShell Team. (2017, November 2). PowerShell Constrained Language Mode. Retrieved March 27, 2023. ↩
-
Gemini Advisory. (2022, January 13). FIN7 Uses Flash Drives to Spread Remote Access Trojan. Retrieved May 14, 2025. ↩
-
The Record. (2022, January 7). FBI: FIN7 hackers target US companies with BadUSB devices to install ransomware. Retrieved January 14, 2022. ↩