ID	E1056
Objective(s)	Collection, Credential Access
Related ATT&CK Techniques	Input Capture (T1056, T1417)
Version	2.3
Created	1 August 2019
Last Modified	27 April 2024

Input Capture

Malware may record user inputs, typically without the user's knowledge. This is often used to capture sensitive information such as usernames, passwords, credit card numbers, and other personal data. The most common form of input capture is keylogging, where the malware records every keystroke made on a device. However, it can also involve capturing mouse clicks, touch screen interactions, or even voice inputs. The captured data is then usually transmitted to the attacker for use in further malicious activities like identity theft or unauthorized access.

See ATT&CK: Input Capture (T1056, T1417).

Methods

Name	ID	Description
Mouse Events	E1056.m01	Mouse events are captured.

Use in Malware

Name	Date	Method	Description
Rombertik	2015	--	The malware injects itself into a browser and captures user input data. [1]
Ursnif	2016	--	The malware injects HTML into a browser session to collect sensitive online banking information when the victim performs their online banking. [2]
Poison Ivy	2005	--	Poison Ivy can capture audio and video. [4]
Clipminer	2011	--	Clipminer monitors keyboard and mouse activity to determine if the machine is in use. [5]
ElectroRAT	2020	--	ElectroRat monitors keyboard and mouse activity to determine whether the machine is in use. [6]

Detection

Tool: capa	Mapping	APIs
use .NET library SharpClipboard	Input Capture (E1056)	--

Tool: CAPE	Mapping	APIs
antisandbox_mouse_hook	Input Capture (E1056)	SetWindowsHookExA, SetWindowsHookExW
antisandbox_mouse_hook	Input Capture::Mouse Events (E1056.m01)	SetWindowsHookExA, SetWindowsHookExW
browser_scanbox	Input Capture (E1056)	JsEval, COleScript_ParseScriptText, COleScript_Compile