CAPEC-568 Metadata
Likelihood of Attack
High
Typical Severity
High
Overview
Summary
An adversary deploys a keylogger in an effort to obtain credentials directly from a system's user. After capturing all the keystrokes made by a user, the adversary can analyze the data and determine which string are likely to be passwords or other credential related information.
Prerequisites
The ability to install the keylogger, either in person or remote.
Execution Flow
| Step | Phase | Description | Techniques |
|---|---|---|---|
| 1 | Explore | [Determine which user's credentials to capture] Since this is a more targeted attack, an adversary will first identify a particular user they wish the capture the credentials of. |
|
| 2 | Experiment | [Deploy keylogger] Once a user is identified, an adversary will deploy a keylogger to the user's system in one of many ways. |
|
| 3 | Experiment | [Record keystrokes] Once the keylogger is deployed on the user's system, the adversary will record keystrokes over a period of time. |
|
| 4 | Experiment | [Analyze data and determine credentials] Using the captured keystrokes, the adversary will be able to determine the credentials of the user. |
|
| 5 | Exploit | [Use found credentials] After the adversary has found the credentials for the target user, they will then use them to gain access to a system in order to perform some follow-up attack |
|
Potential Solutions / Mitigations
Strong physical security can help reduce the ability of an adversary to install a keylogger.
Related CAPECs
| CAPEC ID | Description |
|---|---|
| CAPEC-151 | Identity Spoofing refers to the action of assuming (i.e., taking on) the identity of some other entity (human or non-human) and then using that identity to accomplish a goal. An adversary may craft messages that appear to come from a different principle or use stolen / spoofed authentication credentials. |
| CAPEC-560 | An adversary guesses or obtains (i.e. steals or purchases) legitimate credentials (e.g. userID/password) to achieve authentication and to perform authorized actions under the guise of an authenticated user or service. |
| CAPEC-561 | An adversary guesses or obtains (i.e. steals or purchases) legitimate Windows administrator credentials (e.g. userID/password) to access Windows Admin Shares on a local machine or within a Windows domain. |
| CAPEC-569 | An attacker leverages a tool, device, or program to obtain specific information as provided by a user of the target system. This information is often needed by the attacker to launch a follow-on attack. This attack is different than Social Engineering as the adversary is not tricking or deceiving the user. Instead the adversary is putting a mechanism in place that captures the information that a user legitimately enters into a system. Deploying a keylogger, performing a UAC prompt, or wrapping the Windows default credential provider are all examples of such interactions. |
| CAPEC-600 | An adversary tries known username/password combinations against different systems, applications, or services to gain additional authenticated access. Credential Stuffing attacks rely upon the fact that many users leverage the same username/password combination for multiple systems, applications, and services. |
| CAPEC-653 | An adversary guesses or obtains (i.e. steals or purchases) legitimate operating system credentials (e.g. userID/password) to achieve authentication and to perform authorized actions on the system, under the guise of an authenticated user or service. This applies to any Operating System. |
Taxonomy Mappings
Taxonomy: ATTACK
| Entry ID | Entry Name |
|---|---|
| 1056.001 | Input Capture:Keylogging |
Stay Ahead of Attack Patterns
Understanding CAPEC patterns helps security professionals anticipate and thwart potential attacks. Leverage these insights to enhance threat modeling, strengthen your software development lifecycle, and train your security teams effectively.