CAPEC-568: Capture Credentials via Keylogger
An adversary deploys a keylogger in an effort to obtain credentials directly from a system's user. After capturing all the keystrokes made by a user, the adversary can analyze the data and determine which string are likely to be passwords or other credential related information.
Last updated
Overview
CAPEC-568 (Capture Credentials via Keylogger) is a detailed-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.
How the attack works
The phases an attacker typically follows to carry out this attack.
- Step 1Explore
[Determine which user's credentials to capture] Since this is a more targeted attack, an adversary will first identify a particular user they wish the capture the credentials of.
- Step 2Experiment
[Deploy keylogger] Once a user is identified, an adversary will deploy a keylogger to the user's system in one of many ways.
- Send a phishing email with a malicious attachment that installs a keylogger on a user's system
- Conceal a keylogger behind fake software and get the user to download the software
- Get a user to click on a malicious URL that directs them to a webpage that will install a keylogger without their knowledge
- Gain access to the user's system through a vulnerability and manually install a keylogger
- Step 3Experiment