Adversaries can use methods of capturing user input for obtaining credentials for [Valid Accounts](https://attack.mitre.org/techniques/T1078) and information Collection that include keylogging and user input field interception.Keylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes, (Citation: Adventures of a Keystroke) but other methods exist to target information for specific purposes, such as performing a UAC prompt or wrapping the Windows default credential provider. (Citation: Wrightson 2012)
Keylogging is likely to be used to acquire credentials for new access opportunities when Credential Dumping efforts are not effective, and may require an adversary to remain passive on a system for a period of time before an opportunity arises.
Adversaries may also install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. This variation on input capture may be conducted post-compromise using legitimate administrative access as a backup measure to maintain network access through External Remote Services and Valid Accounts or as part of the initial compromise by exploitation of the externally facing web service. (Citation: Volexity Virtual Private Keylogging)
Utilize PowerShell and external resource to capture keystrokes Payload Provided by PowerSploit
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| filepath | Name of the local file, include path. | Path | $env:TEMP\key.log |
Set-Location $PathToAtomicsFolder
.\T1056\src\Get-Keystrokes.ps1 -LogPath #{filepath}
Remove-Item $env:TEMP\key.log