Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CAPEC-568:Capture Credentials via Keylogger
Attack Pattern ID:568
Version:v3.9
Attack Pattern Name:Capture Credentials via Keylogger
Abstraction:Detailed
Status:Draft
Likelihood of Attack:
Typical Severity:High
DetailsContent HistoryRelated WeaknessesReports
▼Description
An adversary deploys a keylogger in an effort to obtain credentials directly from a system's user. After capturing all the keystrokes made by a user, the adversary can analyze the data and determine which string are likely to be passwords or other credential related information.
▼Extended Description
▼Alternate Terms
▼Relationships
NatureTypeIDName
ChildOfS569Collect Data as Provided by Users
CanFollowD270Modification of Registry Run Keys
CanPrecedeM151Identity Spoofing
CanPrecedeM560Use of Known Domain Credentials
CanPrecedeD561Windows Admin Shares with Stolen Credentials
CanPrecedeS600Credential Stuffing
CanPrecedeS653Use of Known Operating System Credentials
Nature: ChildOf
Type: Standard
ID: 569
Name: Collect Data as Provided by Users
Nature: CanFollow
Type: Detailed
ID: 270
Name: Modification of Registry Run Keys
Nature: CanPrecede
Type: Meta
ID: 151
Name: Identity Spoofing
Nature: CanPrecede
Type: Meta
ID: 560
Name: Use of Known Domain Credentials
Nature: CanPrecede
Type: Detailed
ID: 561
Name: Windows Admin Shares with Stolen Credentials
Nature: CanPrecede
Type: Standard
ID: 600
Name: Credential Stuffing
Nature: CanPrecede
Type: Standard
ID: 653
Name: Use of Known Operating System Credentials
▼Execution Flow
Explore
1.

Determine which user's credentials to capture

Since this is a more targeted attack, an adversary will first identify a particular user they wish the capture the credentials of.

Technique
Experiment
1.

Deploy keylogger

Once a user is identified, an adversary will deploy a keylogger to the user's system in one of many ways.

Technique
Send a phishing email with a malicious attachment that installs a keylogger on a user's system
Conceal a keylogger behind fake software and get the user to download the software
Get a user to click on a malicious URL that directs them to a webpage that will install a keylogger without their knowledge
Gain access to the user's system through a vulnerability and manually install a keylogger
2.

Record keystrokes

Once the keylogger is deployed on the user's system, the adversary will record keystrokes over a period of time.

Technique
3.

Analyze data and determine credentials

Using the captured keystrokes, the adversary will be able to determine the credentials of the user.

Technique
Search for repeated sequences that are following by the enter key
Search for repeated sequences that are not found in a dictionary
Search for several backspaces in a row. This could indicate a mistyped password. The correct password can then be inferred using the whole key sequence
Exploit
1.

Use found credentials

After the adversary has found the credentials for the target user, they will then use them to gain access to a system in order to perform some follow-up attack

Technique
▼Prerequisites
The ability to install the keylogger, either in person or remote.
▼Skills Required
▼Resources Required
▼Indicators
▼Consequences
ScopeLikelihoodImpactNote
▼Mitigations
Strong physical security can help reduce the ability of an adversary to install a keylogger.
▼Example Instances
▼Related Weaknesses
IDName
▼Taxonomy Mappings
Taxonomy NameEntry IDEntry Name
ATTACK1056.001Input Capture:Keylogging
Taxonomy Name: ATTACK
Entry ID: 1056.001
Entry Name: Input Capture:Keylogging
▼Notes
▼References
Details not found