heroui logo

Potential Keylogger Activity

Sigma Rules

View Source
Summary
This detection rule aims to identify potential keylogger activity by scanning PowerShell scripts for references to keystroke capturing functions. It specifically looks for the usage of the `IsKeyDown` method within the `System.Windows.Input.Keyboard` class, a common technique used by malicious scripts to monitor keyboard input. For this rule to function effectively, Script Block Logging must be enabled on the Windows environment to capture such PowerShell actions. This rule has a medium severity level and can potentially generate false positives due to the ambiguity of legitimate scripts using keyboard input functionalities. It is essential for security teams to review identified instances carefully to distinguish between benign uses and malicious intents.
Categories
  • Windows
  • Endpoint
Data Sources
  • Script
  • Process
Created: 2023-01-04