T1056 - Input Capture

Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture).

Atomic Tests:

Currently, no tests are available for this technique.

Detection

Detection may vary depending on how input is captured but may include monitoring for certain Windows API calls (e.g. SetWindowsHook, GetKeyState, and GetAsyncKeyState)(Citation: Adventures of a Keystroke), monitoring for malicious instances of Command and Scripting Interpreter, and ensuring no unauthorized drivers or kernel modules that could indicate keylogging or API hooking are present.

Shield Active Defense

Decoy Content

Seed content that can be used to lead an adversary in a specific direction, entice a behavior, etc.

Decoy Content is the data used to tell a story to an adversary. This content can be legitimate or synthetic data which is used to reinforce or validate your defensive strategy. Examples of decoy content are files on a storage object, entries in the system registry, system shortcuts, etc.

Opportunity

There is an opportunity to feed content to an adversary to influence their behaviors, test their interest in specific topics, or add legitimacy to a system or environment.

Use Case

A defender can feed decoy data to an adversary that is using a key-logger or other tool, so as to shape the encounter.

Procedures

Create directories and files with names and contents using key words that may be relevant to an adversary to see if they examine or exfiltrate the data. Seed a file system with content that is of no value to the company but reinforces the legitimacy of the system if viewed by an adversary.