← Library
sigmaDRL-1.1from SigmaHQ/sigma

Potential Keylogger Activity

Detects PowerShell scripts that contains reference to keystroke capturing functions

Quality
100
FP risk
Forks
0
Views
0
ATT&CK techniques
T1056.001
Rule sourcerules/windows/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml
title: Potential Keylogger Activity
id: 965e2db9-eddb-4cf6-a986-7a967df651e4
status: test
description: Detects PowerShell scripts that contains reference to keystroke capturing functions
references:
    - https://twitter.com/ScumBots/status/1610626724257046529
    - https://www.virustotal.com/gui/file/d4486b63512755316625230e0c9c81655093be93876e0d80732e7eeaf7d83476/content
    - https://www.virustotal.com/gui/file/720a7ee9f2178c70501d7e3f4bcc28a4f456e200486dbd401b25af6da3b4da62/content
    - https://learn.microsoft.com/en-us/dotnet/api/system.windows.input.keyboard.iskeydown?view=windowsdesktop-7.0
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-04
tags:
    - attack.collection
    - attack.credential-access
    - attack.t1056.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains: '[Windows.Input.Keyboard]::IsKeyDown([System.Windows.Input.Key]::'
    condition: selection
falsepositives:
    - Unknown
level: medium