What is keystroke logging?
Content in this page
- What is keystroke logging?
- How do keyloggers work?
- Notable keylogging incidents
- Types of keyloggers
- How to check for keyloggers
- Best practices to evade keylogging
- Guarding against keyloggers
- How can Log360 help?
What is keystroke logging?
A keystroke is any action through which we interact with a computer by pressing buttons or keys. Keystroke logging, commonly known as keylogging, refers to the process of recording the details of keystrokes made on a device in the form of logs. This log generation happens without the user's consent. Keylogging is done using tools called keystroke loggers or keyloggers, which record every stroke entered on the device and save it in a file. Attackers then analyze the pattern in keystrokes to identify sensitive data such as credentials.
Keyloggers can also be pre-programmed to look for specific strokes like @, which could indicate the the user is entering important credentials. While keylogging is often associated with malicious intent, there are legitimate uses as well. These include improving the user experience through keystroke analysis for application and website optimization, and tracking one's own typing habits to enhance productivity and prevent repetitive strain injuries. Keylogging even aids in troubleshooting technical issues by recording user inputs, facilitating efficient problem-solving and customer support.
How do keyloggers work?
Attackers use keylogging tools with an intention of exploiting the user's personal data. They try to steal credit card information to make unauthorized transactions, infiltrate business emails, or even hijack social media accounts.
A keylogger typically works in the following way:
- 1 Installation: Keyloggers can be inserted into devices through phishing emails, compromised websites, malicious software downloads, or even physical devices connected to a computer keyboard or USB port.
- 2 Initialization: Once installed, they run in the background without the user's knowledge.
- 3 Keystroke capture: They record and save all the keystroke entries, presses, releases, and combinations. Some keylogging tools can also capture everything on the user's copy-and-paste clipboard, microphone, and even camera footage.
- 4 Data storage: The data is stored locally on the compromised device or sent to the attacker's remote server.
- 5 Exfiltration: The attacker retrieves the data, which he analyzes to extract sensitive information.
Notable keylogging incidents
Some of the notable cyberattacks that involved keylogging are:
LastPass breach:
In 2022, LastPass revealed a sequence of events in which a malicious actor successfully gained access to and exfiltrated extremely sensitive customer account data from the company's Amazon Web Services storage servers during a well-coordinated and prolonged campaign spanning several months.
StrongPity APT:
This group is known for using a legitimate Notepad++ installer in conjunction with malicious executables, a tactic that grants them persistence on a targeted machine even after a reboot. This backdoor serves as a means for the threat actor to install a keylogger on the compromised system and establish communication with a command-andcontrol (C&C) server for transmitting the software's output.
Types of keyloggers
Keyloggers can usually be classifies into two main types:
Hardware keyloggers: These are physical devices that are directly connected to the targeted system. Hardware keyloggers may be disguised as computer cables or USB adapters. They detect the electronic signals generated when the keys on the keyboard are pressed. Sometimes, keystrokes are also visually tracked with the help of camera keyloggers. Adversaries will need physical and direct access to the system to use hardware keyloggers, which is why they are not very commonly used.
Software keyloggers: These are more often used by adversaries since installation doesn't require any physical access. Software keyloggers are malicious computer programs, which are usually inserted in the target device with the help of social engineering practices. Once installed, they gain system-level access and operate in a stealthy mode. Software keyloggers come in different varieties, including:
- 1 API-based keyloggers: These use an application programing interface to monitor keyboard entries.
- 2 Form-grabbing keyloggers: These intercept the text entered in a website, which is stored locally for exfiltration.
- 3 Kernel-based keyloggers: These work at the kernel level of an operating system and attempt to secure a high privilege inside the network.
How to check for keyloggers
Detecting keyloggers is usually a little tricky. Nevertheless, we can watch out for some signs like slow browser speeds, disappearing cursors, and lag in keystrokes or mouse movement. When using a SIEM solution, a few events can act as indicators of keylogging:
- Suspicious network traffic to unfamiliar IP addresses
- Unexpected process creation
- Unusual access to system or application logs
- Suspicious patterns of keyboard activity
Continuous log collection and analysis to find any anomalous pattern of events can help proactively identify anomalous patterns indicative of keylogging. Once detected, keyloggers must be immediately removed.
Removing keyloggers involves running comprehensive antivirus scans, updating software, uninstalling suspicious programs, and checking for hardware devices. If the keylogger persists, consider using anti-rootkit tools, manually reviewing system logs, and changing passwords.
Best practices to evade keylogging
Endpoint monitoring
Endpoint monitoring
Monitor for the installation of new software or drivers. Keyloggers often install themselves as drivers or software components. Look for unauthorized or suspicious processes running on endpoints.
Signature-based detection
Signature-based detection
Use threat intelligence feeds and regularly updated signature databases to detect known keylogging software or patterns.
Network monitoring
Network monitoring
Monitor for unusual outbound traffic, especially to unknown or suspicious domains. Keyloggers often send captured data to remote servers. Look for encrypted traffic to non-standard ports, which might indicate data exfiltration.
Correlation rules
Correlation rules
Create correlation rules to detect patterns indicative of keylogging. For instance, a rule might trigger an alert if a new software installation is followed by unusual outbound traffic.
File integrity monitoring
File integrity monitoring
Monitor critical system files and directories for unauthorized changes. Keyloggers might try to modify system files to embed themselves.
Guarding against keyloggers
To shield businesses from keyloggers, organizations can adopt a range of effective strategies. Two-factor authentication is a pivotal defense. Requiring an extra layer of verification beyond mere passwords ensures that, even if login credentials are compromised, unauthorized access remains elusive.
Businesses should also implement a Zero Trust model within their organization. Access to downloading files from the internet should be tightly restricted and granted solely to necessary personnel. Even with these controls in place, employees must remain educated about safe internet usage. They should be trained to have the capability to identify suspicious files and understand the perils of phishing.
Maintaining up-to-date devices and software is another cornerstone of defense. Regularly installing the latest updates and patches increases protection against keyloggers and other threats. Vulnerabilities in unpatched software can be exploited by threat actors, but up-to-date software can effectively detect and counter malicious intrusions.
Adoption of a password manager is another highly recommended practice. Password managers not only elevate password security but also serve as a defense against keyloggers. Storing passwords securely within the manager eliminates the need to type them, rendering keyloggers ineffective.
Learn how Log360 can combat keylogging attack and such stealthy attacks with a suite of security features like:
- Network monitoring
- Machine learning based behavior analytics
- Incident response automation
How can Log360 help?
1. Custom report for input capture logging
Log360 enables the creation of custom reports focused on input capture logging. This is achieved by monitoring a specific event ID (4104), which is crucial in detecting keylogging activities.
How it works:
- The system tracks and logs every instance of Event ID 4104.
- Custom reports can be generated, providing detailed insights into all input capture activities.
- This aids in identifying any suspicious or unauthorized input logging, a common footprint of keylogging malware.
2. File monitoring report
The file monitoring report in Log360 offers comprehensive tracking of file activities. This includes modifications, deletions, additions, renaming, permission changes, and an overview of top file operations.
How it works:
- Continuous monitoring of all file activities in the system.
- Generates detailed reports on any changes made to files, which is vital in detecting keylogging software that may alter or create new files.
- The report helps in quickly identifying unauthorized file operations, which could indicate a keylogging threat.
3. Custom correlation rule
Log360 enables the creation of custom correlation rules, enhancing its ability to detect security threats like keylogging. A specific example is a rule designed to identify PowerShell-based keylogging activities.
How it works:
- Monitoring Event ID 4104: The rule focuses on Event ID 4104, which logs PowerShell script block executions. This allows for close monitoring of all PowerShell activities on the system.
- Detecting Keylogging Indicators: The rule scans the content of each logged script block for specific strings indicative of keylogging. These include 'Get-Keystrokes', 'GetAsyncKeyState', and 'GetForegroundWindow'.
- Alert Mechanism: When these keylogging-related strings are detected within a script block, the rule triggers an alert, signaling a possible keylogging attempt.
This custom correlation rule is tailored to detect PowerShell keylogging. By focusing on specific, known keylogging commands and functions, it effectively identifies potential keylogging attempts, a critical aspect in mitigating sophisticated cyber threats.
4. Alert profile for created correlation
With Log360, users can set up alert profiles for created correlation rules. This ensures immediate notification when specific conditions of the rule are met.
How it works:
- Once a custom correlation rule is triggered, Log360 generates an alert.
- These alerts can be customized to meet the specific monitoring needs and threat response plans of the organization.
- Immediate alerts allow for a swift response to potential keylogging incidents, reducing the risk of data theft or compromise.
