Run a keylogger

Hunt Hypothesis

The detection identifies potential adversary behavior of executing a keylogger to exfiltrate user input data. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early-stage compromise and prevent data exfiltration.

YARA Rule

rule keylogger {
    meta:
        author = "x0r"
        description = "Run a keylogger"
	version = "0.1"
    strings:
	    $f1 = "User32.dll" nocase
        $c1 = "GetAsyncKeyState"
        $c2 = "GetKeyState"
        $c3 = "MapVirtualKey"
        $c4 = "GetKeyboardType"
    condition:
        $f1 and 1 of ($c*)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 5 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: System Maintenance Task Using a Keylogger Tool
  Description: A system administrator uses a legitimate keylogger tool (e.g., Keylogger.exe) as part of a security audit or incident response.
  Filter/Exclusion: Check for the presence of a known admin user (e.g., Administrator), and exclude processes launched from a trusted directory (e.g., C:\Windows\System32\).

• Scenario: Scheduled Job for Log Collection
  Description: A scheduled task runs a script that logs user activity for compliance purposes, using a tool like LogCollector.exe.
  Filter/Exclusion: Exclude processes initiated by a scheduled task with a known name (e.g., LogCollectorTask) and check for the presence of a compliance or audit-related service.

• Scenario: Antivirus or EDR Tool Generating Logs
  Description: An endpoint protection tool (e.g., CrowdStrike, SentinelOne) generates logs that resemble keylogger activity due to its monitoring capabilities.
  Filter/Exclusion: Exclude processes associated with known EDR/AV vendors (e.g., CrowdStrikeSvc.exe, SentinelOne.exe) and check for parent process relationships.

• Scenario: User-Initiated Keylogger for Debugging
  Description: A developer uses a keylogger (e.g., KeyloggerDev.exe) to debug application input behavior.
  Filter/Exclusion: Exclude processes launched by a developer user (e.g., DevUser) and check for the presence of a development environment or debugging tool.

• Scenario: Legacy System Compatibility Check
  Description: A legacy application or compatibility tool (e.g., CompatTool.exe) runs in the background and captures input for compatibility testing.
  Filter/Exclusion: Exclude processes with a known legacy application name and check for execution in a virtualized