title: Linux Keylogging with Pam.d
id: 49aae26c-450e-448b-911d-b3c13d178dfc
status: test
description: Detect attempt to enable auditing of TTY input
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md
    - https://linux.die.net/man/8/pam_tty_audit
    - https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing
    - https://access.redhat.com/articles/4409591#audit-record-types-2
author: 'Pawel Mazur'
date: 2021-05-24
modified: 2022-12-18
tags:
    - attack.collection
    - attack.credential-access
    - attack.t1003
    - attack.t1056.001
logsource:
    product: linux
    service: auditd
detection:
    selection_path_events:
        type: PATH
        name:
            - '/etc/pam.d/system-auth'
            - '/etc/pam.d/password-auth'
    selection_tty_events:
        type:
            - 'TTY'
            - 'USER_TTY'
    condition: 1 of selection_*
falsepositives:
    - Administrative work
level: high

title: CredUI.DLL Loaded By Uncommon Process
id: 9ae01559-cf7e-4f8e-8e14-4c290a1b4784
status: test
description: Detects loading of "credui.dll" and related DLLs by an uncommon process. Attackers might leverage this DLL for potential use of "CredUIPromptForCredentials" or "CredUnPackAuthenticationBufferW".
references:
    - https://securitydatasets.com/notebooks/atomic/windows/credential_access/SDWIN-201020013208.html
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password
    - https://learn.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa
    - https://github.com/S12cybersecurity/RDPCredentialStealer
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-10-20
modified: 2025-12-09
tags:
    - attack.credential-access
    - attack.collection
    - attack.t1056.002
logsource:
    category: image_load
    product: windows
detection:
    selection:
        - ImageLoaded|endswith:
              - '\credui.dll'
              - '\wincredui.dll'
        - OriginalFileName:
              - 'credui.dll'
              - 'wincredui.dll'
    filter_main_generic:
        Image|startswith:
            - 'C:\Program Files (x86)\'
            - 'C:\Program Files\'
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
            - 'C:\Windows\SystemApps\'
    filter_main_full:
        Image:
            - 'C:\Windows\explorer.exe'
            - 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe'
            - 'C:\Windows\regedit.exe' # This FP is triggered for example when choosing the "Connect Network Registry" from the menu
    filter_optional_opera:
        Image|endswith: '\opera_autoupdate.exe'
    filter_optional_process_explorer:
        Image|endswith:
            - '\procexp64.exe'
            - '\procexp.exe'
    filter_optional_teams:
        Image|startswith: 'C:\Users\'
        Image|contains: '\AppData\Local\Microsoft\Teams\'
        Image|endswith: '\Teams.exe'
    filter_optional_onedrive:
        Image|startswith: 'C:\Users\'
        Image|contains: '\AppData\Local\Microsoft\OneDrive\'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Other legitimate processes loading those DLLs in your environment.
level: medium

title: PUA - Mouse Lock Execution
id: c9192ad9-75e5-43eb-8647-82a0a5b493e3
status: test
description: In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool "Mouse Lock" as being used for both credential access and collection in security incidents.
references:
    - https://github.com/klsecservices/Publications/blob/657deb6a6eb6e00669afd40173f425fb49682eaa/Incident-Response-Analyst-Report-2020.pdf
    - https://sourceforge.net/projects/mouselock/
author: Cian Heasley
date: 2020-08-13
modified: 2023-02-21
tags:
    - attack.credential-access
    - attack.collection
    - attack.t1056.002
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        - Product|contains: 'Mouse Lock'
        - Company|contains: 'Misc314'
        - CommandLine|contains: 'Mouse Lock_'
    condition: selection
falsepositives:
    - Legitimate uses of Mouse Lock software
level: medium

title: Potential Keylogger Activity
id: 965e2db9-eddb-4cf6-a986-7a967df651e4
status: test
description: Detects PowerShell scripts that contains reference to keystroke capturing functions
references:
    - https://twitter.com/ScumBots/status/1610626724257046529
    - https://www.virustotal.com/gui/file/d4486b63512755316625230e0c9c81655093be93876e0d80732e7eeaf7d83476/content
    - https://www.virustotal.com/gui/file/720a7ee9f2178c70501d7e3f4bcc28a4f456e200486dbd401b25af6da3b4da62/content
    - https://learn.microsoft.com/en-us/dotnet/api/system.windows.input.keyboard.iskeydown?view=windowsdesktop-7.0
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-04
tags:
    - attack.collection
    - attack.credential-access
    - attack.t1056.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains: '[Windows.Input.Keyboard]::IsKeyDown([System.Windows.Input.Key]::'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Powershell Keylogging
id: 34f90d3c-c297-49e9-b26d-911b05a4866c
status: test
description: Adversaries may log user keystrokes to intercept credentials as the user types them.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/src/Get-Keystrokes.ps1
author: frack113
date: 2021-07-30
modified: 2022-07-11
tags:
    - attack.credential-access
    - attack.collection
    - attack.t1056.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_basic:
        ScriptBlockText|contains: 'Get-Keystrokes'
    selection_high: # want to run in background and keyboard
        ScriptBlockText|contains|all:
            - 'Get-ProcAddress user32.dll GetAsyncKeyState'
            - 'Get-ProcAddress user32.dll GetForegroundWindow'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: medium

title: DNS Query Request To OneLaunch Update Service
id: df68f791-ad95-447f-a271-640a0dab9cf8
status: test
description: |
    Detects DNS query requests to "update.onelaunch.com". This domain is associated with the OneLaunch adware application.
    When the OneLaunch application is installed it will attempt to get updates from this domain.
references:
    - https://www.malwarebytes.com/blog/detections/pup-optional-onelaunch-silentcf
    - https://www.myantispyware.com/2020/12/14/how-to-uninstall-onelaunch-browser-removal-guide/
    - https://malware.guide/browser-hijacker/remove-onelaunch-virus/
author: Josh Nickels
date: 2024-02-26
tags:
    - attack.credential-access
    - attack.collection
    - attack.t1056
logsource:
    category: dns_query
    product: windows
detection:
    selection:
        QueryName: 'update.onelaunch.com'
        Image|endswith: '\OneLaunch.exe'
    condition: selection
falsepositives:
    - Unlikely
level: low

title: GUI Input Capture - macOS
id: 60f1ce20-484e-41bd-85f4-ac4afec2c541
status: test
description: Detects attempts to use system dialog prompts to capture user credentials
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md
    - https://scriptingosx.com/2018/08/user-interaction-from-bash-scripts/
author: remotephone, oscd.community
date: 2020-10-13
modified: 2025-12-05
tags:
    - attack.collection
    - attack.credential-access
    - attack.t1056.002
logsource:
    product: macos
    category: process_creation
detection:
    selection_img:
        Image|endswith: '/osascript'
    selection_cli_1:
        CommandLine|contains|all:
            - '-e'
            - 'display'
            - 'dialog'
            - 'answer'
    selection_cli_2:
        CommandLine|contains:
            - 'admin'
            - 'administrator'
            - 'authenticate'
            - 'authentication'
            - 'credentials'
            - 'pass'
            - 'password'
            - 'unlock'
    condition: all of selection_*
falsepositives:
    - Legitimate administration tools and activities
level: low

title: Suspicious Network Communication With IPFS
id: eb6c2004-1cef-427f-8885-9042974e5eb6
status: test
description: Detects connections to interplanetary file system (IPFS) containing a user's email address which mirrors behaviours observed in recent phishing campaigns leveraging IPFS to host credential harvesting webpages.
references:
    - https://blog.talosintelligence.com/ipfs-abuse/
    - https://github.com/Cisco-Talos/IOCs/tree/80caca039988252fbb3f27a2e89c2f2917f582e0/2022/11
    - https://isc.sans.edu/diary/IPFS%20phishing%20and%20the%20need%20for%20correctly%20set%20HTTP%20security%20headers/29638
author: Gavin Knapp
date: 2023-03-16
tags:
    - attack.collection
    - attack.credential-access
    - attack.t1056
logsource:
    category: proxy
detection:
    selection:
        cs-uri|re: '(?i)(ipfs\.io/|ipfs\.io\s).+\..+@.+\.[a-z]+'
    condition: selection
falsepositives:
    - Legitimate use of IPFS being used in the organisation. However the cs-uri regex looking for a user email will likely negate this.
level: low