Raw-input based keylogger

Hunt Hypothesis

A raw-input based keylogger captures unprocessed keyboard input, allowing adversaries to exfiltrate keystrokes without triggering traditional detection mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential credential theft or sensitive data exposure in low-severity, stealthy attacks.

YARA Rule

rule Trojan_Win32_Plakelog 
{

    meta:
        author = "Microsoft"
        description = "Raw-input based keylogger"
        original_sample_sha1 = "3907a9e41df805f912f821a47031164b6636bd04"
        unpacked_sample_sha1 = "960feeb15a0939ec0b53dcb6815adbf7ac1e7bb2"
        activity_group = "Platinum"
        version = "1.0"
        last_modified = "2016-04-12"

    strings:
        $str1 = "<0x02>" wide
        $str2 = "[CTR-BRK]" wide
        $str3 = "[/WIN]" wide
        $str4 = {8A 16 8A 18 32 DA 46 88 18 8B 15 08 E6 42 00 40 41 3B CA 72 EB 5E 5B}

    condition:
        $str1 and $str2 and $str3 and $str4
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: System administrator using a keylogger tool for forensic analysis
  Filter/Exclusion: Exclude processes associated with known forensic tools (e.g., Mandiant, Volatility, LogRhythm) or check for presence of a “forensic mode” flag in the process context.

• Scenario: Scheduled job for password reset or user account management
  Filter/Exclusion: Exclude processes initiated by scheduled tasks (e.g., schtasks.exe, Task Scheduler) and filter by user accounts with administrative privileges (e.g., Administrator, Domain Admins).

• Scenario: Legitimate input capture for application testing or UI automation
  Filter/Exclusion: Exclude processes related to UI automation tools (e.g., AutoIt, Puppeteer, Sikuli) or those running under a test environment (e.g., TestUser, TestAccount).

• Scenario: User input captured during a legitimate remote support session
  Filter/Exclusion: Exclude processes initiated by remote desktop tools (e.g., mstsc.exe, RDP, TeamViewer) and check for presence of a support session flag or user context (e.g., SupportUser).

• Scenario: Input logging for compliance or audit purposes
  Filter/Exclusion: Exclude processes associated with compliance tools (e.g., Splunk, SIEM, Log Management) or those running under a dedicated compliance user account (e.g., ComplianceUser).