输入捕获

Sub-techniques (4)

ID	Name
T1056.001	内存驻留无文件键盘记录
T1056.002	合法输入接口劫持
T1056.003	加密通道实时数据回传
T1056.004	用户空间钩子动态伪装

输入捕获是攻击者通过截获用户输入数据（如键盘记录、屏幕捕获等）获取敏感信息的攻击技术，涉及从硬件驱动层到应用层的多级数据截取。传统检测方法主要通过监控系统API调用模式（如SetWindowsHookEx）、分析驱动程序签名完整性以及检测异常进程内存行为等手段识别攻击行为。防御措施包括实施用户输入通道加密、强化驱动签名验证机制以及部署行为沙箱分析系统。

为规避传统检测机制，现代输入捕获技术逐步向无文件化、协议合规化、行为动态化方向演进。攻击者通过深度融入系统信任体系、构建加密通信隧道以及实施环境自适应策略，将输入截获行为伪装成合法系统功能或正常业务通信，显著降低攻击行为的可观测性。

当前输入捕获匿迹技术的核心演进路径体现在三个维度：首先是技术栈的深度系统化，通过劫持系统可信组件（如输入法框架、生物认证驱动）实现攻击行为合法化；其次是数据链的全流程加密，采用实时分块加密与动态隧道技术规避内容检测；最后是攻击面的动态适应性，构建具备反检测迁移能力的钩子体系。具体而言，内存驻留技术通过消除磁盘特征规避静态扫描；接口劫持利用系统信任链实现行为透明；加密回传借助协议混淆突破流量审计；动态伪装则通过持续环境适配维持隐蔽性。这些技术的共性在于突破传统输入捕获的显性特征，通过技术栈下沉、数据流加密和行为拟态，使攻击过程与系统正常运作高度融合。

匿迹技术的发展导致传统基于API监控、特征匹配的防御体系面临失效风险，防御方需构建内存行为基线分析、加密流量元特征检测等新型能力，同时强化系统核心组件的运行时完整性校验，建立覆盖硬件层到应用层的输入安全防护体系。

ID: T1056

Sub-techniques: T1056.001, T1056.002, T1056.003, T1056.004

ⓘ

Tactics: 信息收集, 凭据获取

ⓘ

Platforms: Linux, Network, Windows, macOS

Contributors: John Lambert, Microsoft Threat Intelligence Center

Version: 1.3

Created: 31 May 2017

Last Modified: 13 August 2024

匿迹效应

效应类型	是否存在
特征伪装	✅
行为透明	✅
数据遮蔽	✅
时空释痕	❌

特征伪装

攻击者通过模拟合法系统组件行为实现输入捕获的特征隐匿。例如将键盘记录模块伪装成输入法服务进程（如ctfmon.exe），或通过劫持数字签名驱动实现底层截获。此类技术使得恶意行为在进程树、服务列表等维度呈现合法特征，规避基于进程行为特征的检测。

行为透明

通过利用系统未公开漏洞或零日攻击链，攻击者实现输入捕获行为的不可见性。如借助新型进程注入技术（如AtomBombing）绕过内存保护机制，或利用未披露的驱动漏洞实现无痕钩子植入。此类手法使得传统基于已知攻击模式的行为分析系统难以识别恶意活动。

数据遮蔽

采用实时流加密与协议隧道技术对截获数据进行全程加密处理。例如将击键记录分割为TLS会话中的随机长度数据块，或通过DNS over HTTPS进行封装传输。加密过程结合前向保密与密钥分离机制，确保即使单个会话被解密也无法获取完整输入数据，显著提升数据泄露检测难度。

Procedure Examples

ID	Name	Description
G0087	APT39	APT39 has utilized tools to capture mouse movements.^[1]
S0631	Chaes	Chaes has a module to perform any API hooking it desires.^[2]
S0381	FlawedAmmyy	FlawedAmmyy can collect mouse events.^[3]
S0641	Kobalos	Kobalos has used a compromised SSH client to capture the hostname, port, username and password used to establish an SSH connection from the compromised host.^[4]^[5]
S1060	Mafalda	Mafalda can conduct mouse event logging.^[6]
S1059	metaMain	metaMain can log mouse events.^[6]
S1131	NPPSPY	NPPSPY captures user input into the Winlogon process by redirecting RPC traffic from legitimate listening DLLs within the operating system to a newly registered malicious item that allows for recording logon information in cleartext.^[7]
C0039	Versa Director Zero Day Exploitation	Versa Director Zero Day Exploitation intercepted and harvested credentials from user logins to compromised devices.^[8]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

ID	Data Source	Data Component	Detects
DS0027	Driver	Driver Load	Monitor for unusual kernel driver installation activity. Analytic 1 - Unexpected kernel driver installations. `index=security sourcetype="WinEventLog:System" EventCode=7045 \| where match(Service_Name, "(?i)(keylogger\|input\|capture\|sniff\|monitor\|keyboard\|logger\|driver)")`
DS0022	File	File Modification	Monitor for changes made to files for unexpected modifications to access permissions and attributes. Analytic 1 - Unexpected file modifications. `index=security sourcetype="WinEventLog:Security" EventCode=4663 \| where Object_Type="File" AND Access_Mask IN ("0x2", "0x4", "0x20", "0x80", "0x100")`
DS0009	Process	OS API Execution	Monitor for API calls to SetWindowsHook, GetKeyState, and GetAsyncKeyState ^[9]
		Process Creation	Monitor for newly executed processes conducting malicious activity
		Process Metadata	Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow.
DS0024	Windows Registry	Windows Registry Key Modification	Monitor for changes made to windows registry keys or values for unexpected modifications