Hook-based keylogger

Hunt Hypothesis

A hook-based keylogger may be used by adversaries to stealthily capture keystrokes and exfiltrate sensitive information, indicating potential persistence or data theft. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate covert data exfiltration attempts that evade traditional detection methods.

YARA Rule

rule Trojan_Win32_Plaklog
{

    meta:
        author = "Microsoft"
        description = "Hook-based keylogger"
        original_sample_sha1 = "831a5a29d47ab85ee3216d4e75f18d93641a9819"
        unpacked_sample_sha1 = "e18750207ddbd939975466a0e01bd84e75327dda"
        activity_group = "Platinum"
        version = "1.0"
        last_modified = "2016-04-12"

    strings:
        $str1 = "++[%s^^unknown^^%s]++"
        $str2 = "vtfs43/emm"
        $str3 = {33 C9 39 4C 24 08 7E 10 8B 44 24 04 03 C1 80 00 08 41 3B 4C 24 08 7C F0 C3}

    condition:
        $str1 and $str2 and $str3
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: System update or patch installation
  Description: A legitimate system update or patch installation may trigger hook-based detection due to the use of hooking mechanisms during the update process.
  Filter/Exclusion: Exclude processes related to known update tools such as wuauclt.exe (Windows Update), msiexec.exe (MSI installers), or setup.exe (Windows Setup).

• Scenario: Scheduled task for log collection or monitoring
  Description: A scheduled task that collects logs or performs monitoring may use hooking techniques to capture keystrokes or system events.
  Filter/Exclusion: Exclude processes associated with log collection tools like eventvwr.exe, logman.exe, or specific monitoring tools such as SplunkForwarder.exe or Graylog2.exe.

• Scenario: Admin task involving registry or configuration changes
  Description: Administrative tasks such as modifying registry keys or configuration files may involve hooking to intercept system calls or events.
  Filter/Exclusion: Exclude processes like regedit.exe, regsvr32.exe, or msconfig.exe that are commonly used for system configuration.

• Scenario: Antivirus or endpoint protection tool hooking
  Description: Some endpoint protection tools may use hooking mechanisms to monitor system behavior for malicious activity.
  Filter/Exclusion: Exclude processes from known security software such as mpsvc.exe (Microsoft Defender), avgnt.exe (Avast), or bitdefender.exe.

• Scenario: Virtualization or remote desktop session setup
  Description: Setting up a virtual machine or remote desktop session may involve hooking to redirect input or manage sessions.
  Filter/Exclusion: Exclude processes like vmtoolsd.exe (VMware Tools), mstsc.exe (Remote Desktop), or `tsclient