T1056: Input Capture

Data from MITRE ATT&CK®:

Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture).

© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

File Modification (File)

Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)

Windows Registry Key Modification (Windows Registry)

Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)

Process Metadata (Process)

Contextual data about a running process, which may include information such as environment variables, image name, user/owner, etc.

Driver Load (Driver)

Attaching a driver to either user or kernel-mode of a system (ex: Sysmon EID 6)

Process Creation (Process)

The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)

OS API Execution (Process)

Operating system function/method calls executed by a process

DNS Query Request To OneLaunch Update Service

windows dns query

Suspicious Network Communication With IPFS

proxy