Detailed attack pattern
Draft
Log in
An adversary deploys a keylogger in an effort to obtain credentials directly from a system's user. After capturing all the keystrokes made by a user, the adversary can analyze the data and determine which string are likely to be passwords or other credential related information.
Last updated
CAPEC-568 (Capture Credentials via Keylogger) is a detailed-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.
The phases an attacker typically follows to carry out this attack.
[Determine which user's credentials to capture] Since this is a more targeted attack, an adversary will first identify a particular user they wish the capture the credentials of.
[Deploy keylogger] Once a user is identified, an adversary will deploy a keylogger to the user's system in one of many ways.
[Record keystrokes] Once the keylogger is deployed on the user's system, the adversary will record keystrokes over a period of time.
[Analyze data and determine credentials] Using the captured keystrokes, the adversary will be able to determine the credentials of the user.
[Use found credentials] After the adversary has found the credentials for the target user, they will then use them to gain access to a system in order to perform some follow-up attack
Defenses that reduce the risk of CAPEC-568.
Common questions about CAPEC-568.
An adversary deploys a keylogger in an effort to obtain credentials directly from a system's user. After capturing all the keystrokes made by a user, the adversary can analyze the data and determine which string are likely to be passwords or other credential related information.
It typically unfolds over 5 phases. It begins with: [Determine which user's credentials to capture] Since this is a more targeted attack, an adversary will first identify a particular user they wish the capture the credentials of.
Strong physical security can help reduce the ability of an adversary to install a keylogger.
MITRE rates CAPEC-568 as High severity.
Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.
Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.