Keylogger component

Hunt Hypothesis

The detection identifies potential keylogger activity by capturing unusual input data exfiltration patterns, which may indicate an adversary attempting to steal sensitive information. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate early-stage espionage or data theft campaigns.

YARA Rule

rule Trojan_Win32_PlaKeylog_B
{

    meta:
        author = "Microsoft"
        description = "Keylogger component"
        original_sample_sha1 = "0096a3e0c97b85ca75164f48230ae530c94a2b77"
        unpacked_sample_sha1 = "6a1412daaa9bdc553689537df0a004d44f8a45fd"
        activity_group = "Platinum"
        version = "1.0"
        last_modified = "2016-04-12"

    strings:
        $hook = {C6 06 FF 46 C6 06 25}
        $dasm_engine = {80 C9 10 88 0E 8A CA 80 E1 07 43 88 56 03 80 F9 05}
    
    condition:
        $hook and $dasm_engine
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: System update or patch installation using Windows Update or Group Policy Preferences (GPP)
  Filter/Exclusion: Check for process parent or command line containing wuauclt.exe, gpupdate.exe, or msiexec.exe with known update package names.

• Scenario: Scheduled job running PowerShell scripts for system maintenance (e.g., log rotation, cleanup)
  Filter/Exclusion: Exclude processes with powershell.exe where the command line includes -File or -Command and contains known maintenance script paths or names.

• Scenario: Logon script execution using Group Policy or Login.bat for user environment setup
  Filter/Exclusion: Filter out processes with cmd.exe or powershell.exe that are launched by gpresult.exe or have a command line containing logon.bat or userenv.dll.

• Scenario: Remote desktop session or Terminal Services activity that may trigger keylogger-like behavior due to user input
  Filter/Exclusion: Exclude processes with mstsc.exe or tsclient.exe and check for session context or user input patterns that are typical of remote access.

• Scenario: Security software or endpoint protection tools such as Bitdefender, Kaspersky, or Malwarebytes performing heuristic analysis
  Filter/Exclusion: Exclude processes with known AV tool names or parent processes like avp.exe, mbam.exe, or kavservice.exe.