CAP HookExKeylogger

Hunt Hypothesis

The CAP HookExKeylogger rule detects potential keylogging activity by hooking into executable processes to capture keystrokes, which is a common technique used by adversaries to exfiltrate sensitive information. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage keyloggers that may evade traditional detection methods.

YARA Rule

rule CAP_HookExKeylogger
{

meta:
    author = "Brian C. Bell -- @biebsmalwareguy"
    reference = "https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar"

    strings:
    $str_Win32hookapi = "SetWindowsHookEx" nocase
    $str_Win32llkey = "WH_KEYBOARD_LL" nocase
    $str_Win32key = "WH_KEYBOARD" nocase

    condition:
        2 of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
• Source Rule

False Positive Guidance

• Scenario: Legitimate system monitoring tool using hooking techniques
  Filter/Exclusion: Exclude processes associated with known monitoring tools like Sysinternals Process Explorer or Wireshark using their full process names or hashes.

• Scenario: Scheduled system cleanup or disk defragmentation task
  Filter/Exclusion: Exclude processes related to Disk Cleanup, Defragmenter, or Task Scheduler tasks by checking the command line arguments or parent process ID (PPID) against known system services.

• Scenario: Administrative task involving hooking for compatibility or debugging purposes
  Filter/Exclusion: Exclude processes launched by Windows Debugger (cdb) or ProcMon (Process Monitor) by checking the command line for keywords like ProcMon or Debug.

• Scenario: Antivirus or endpoint protection software performing heuristic analysis
  Filter/Exclusion: Exclude processes from Malwarebytes, Bitdefender, or Kaspersky by checking the process name or using a whitelist of known security software.

• Scenario: User-initiated script or tool for keylogging for legitimate testing or development
  Filter/Exclusion: Exclude processes running under a known development environment like Python or Node.js with specific command-line arguments indicating testing or development use.