| Name |
Capture Credentials via Keylogger |
|
| Likelyhood of attack |
Typical severity |
| High |
High |
|
| Summary |
An adversary deploys a keylogger in an effort to obtain credentials directly from a system's user. After capturing all the keystrokes made by a user, the adversary can analyze the data and determine which string are likely to be passwords or other credential related information. |
| Prerequisites |
The ability to install the keylogger, either in person or remote. |
| Execution Flow |
| Step |
Phase |
Description |
Techniques |
| 1 |
Explore |
[Determine which user's credentials to capture] Since this is a more targeted attack, an adversary will first identify a particular user they wish the capture the credentials of. |
|
| 2 |
Experiment |
[Deploy keylogger] Once a user is identified, an adversary will deploy a keylogger to the user's system in one of many ways. |
- Send a phishing email with a malicious attachment that installs a keylogger on a user's system
- Conceal a keylogger behind fake software and get the user to download the software
- Get a user to click on a malicious URL that directs them to a webpage that will install a keylogger without their knowledge
- Gain access to the user's system through a vulnerability and manually install a keylogger
|
| 3 |
Experiment |
[Record keystrokes] Once the keylogger is deployed on the user's system, the adversary will record keystrokes over a period of time. |
|
| 4 |
Experiment |
[Analyze data and determine credentials] Using the captured keystrokes, the adversary will be able to determine the credentials of the user. |
- Search for repeated sequences that are following by the enter key
- Search for repeated sequences that are not found in a dictionary
- Search for several backspaces in a row. This could indicate a mistyped password. The correct password can then be inferred using the whole key sequence
|
| 5 |
Exploit |
[Use found credentials] After the adversary has found the credentials for the target user, they will then use them to gain access to a system in order to perform some follow-up attack |
|
|
| Solutions | Strong physical security can help reduce the ability of an adversary to install a keylogger. |
| Related CAPECS |
|
CAPEC ID
|
Description
|
| CAPEC-151 |
Identity Spoofing refers to the action of assuming (i.e., taking on) the identity of some other entity (human or non-human) and then using that identity to accomplish a goal. An adversary may craft messages that appear to come from a different principle or use stolen / spoofed authentication credentials. |
| CAPEC-560 |
An adversary guesses or obtains (i.e. steals or purchases) legitimate credentials (e.g. userID/password) to achieve authentication and to perform authorized actions under the guise of an authenticated user or service. |
| CAPEC-561 |
An adversary guesses or obtains (i.e. steals or purchases) legitimate Windows administrator credentials (e.g. userID/password) to access Windows Admin Shares on a local machine or within a Windows domain. |
| CAPEC-569 |
An attacker leverages a tool, device, or program to obtain specific information as provided by a user of the target system. This information is often needed by the attacker to launch a follow-on attack. This attack is different than Social Engineering as the adversary is not tricking or deceiving the user. Instead the adversary is putting a mechanism in place that captures the information that a user legitimately enters into a system. Deploying a keylogger, performing a UAC prompt, or wrapping the Windows default credential provider are all examples of such interactions. |
| CAPEC-600 |
An adversary tries known username/password combinations against different systems, applications, or services to gain additional authenticated access. Credential Stuffing attacks rely upon the fact that many users leverage the same username/password combination for multiple systems, applications, and services. |
| CAPEC-653 |
An adversary guesses or obtains (i.e. steals or purchases) legitimate operating system credentials (e.g. userID/password) to achieve authentication and to perform authorized actions on the system, under the guise of an authenticated user or service. This applies to any Operating System. |
|
| Taxonomy: ATTACK |
|
Entry ID
|
Entry Name
|
| 1056.001 |
Input Capture:Keylogging |
|