Dark Mode
Capec-568 Detail
Capture Credentials via Keylogger
Detailed Software Typical Severity: High
Parents: 569
Threats: T258 T302
Not present
| External ID | Source | Link | Description |
|---|---|---|---|
| CAPEC-568 | capec | https://capec.mitre.org/data/definitions/568.html | |
| T1056.001 | ATTACK | https://attack.mitre.org/wiki/Technique/T1056/001 | Input Capture:Keylogging |
Explore
-
Determine which user's credentials to capture: Since this is a more targeted attack, an adversary will first identify a particular user they wish the capture the credentials of.
Experiment
-
Deploy keylogger: Once a user is identified, an adversary will deploy a keylogger to the user's system in one of many ways.
-
Record keystrokes: Once the keylogger is deployed on the user's system, the adversary will record keystrokes over a period of time.
-
Analyze data and determine credentials: Using the captured keystrokes, the adversary will be able to determine the credentials of the user.
| Techniques |
|---|
| Send a phishing email with a malicious attachment that installs a keylogger on a user's system |
| Conceal a keylogger behind fake software and get the user to download the software |
| Get a user to click on a malicious URL that directs them to a webpage that will install a keylogger without their knowledge |
| Gain access to the user's system through a vulnerability and manually install a keylogger |
| Techniques |
|---|
| Search for repeated sequences that are following by the enter key |
| Search for repeated sequences that are not found in a dictionary |
| Search for several backspaces in a row. This could indicate a mistyped password. The correct password can then be inferred using the whole key sequence |
Exploit
-
Use found credentials: After the adversary has found the credentials for the target user, they will then use them to gain access to a system in order to perform some follow-up attack
- The ability to install the keylogger, either in person or remote.
Not present
Not present
Not present
Not present