MITRE ATT&CK: Input capture
Since the early days of computing, input has been the most basic form of interface with a system. Until attackers find a way to intercept brain communications, input will remain the holy grail of information sources to harvest.
Attackers have a way to access this rich source of sensitive information — the input capture attack technique. Headlined by the infamous keylogger, input capture appears on the MITRE ATT&CK matrix as an “abuse of system features” technique and may be the epitome of an abuse of system feature attack tactic.
This article will detail the input capture technique and will explore what MITRE ATT&CK is, the danger of abuse of system features, a little about input capture, real-world examples of this attack in action, and tips for mitigation and detection.
What is MITRE ATT&CK?
MITRE is a not-for-profit corporation dedicated to solving problems for a safer world. Beginning as a systems engineering company in 1958, MITRE has added new technical and organization capabilities to its knowledge base — including cybersecurity.
To this end, MITRE released the MITRE ATT&CK list as a globally accessible knowledge base of adversary techniques and tactics based upon real-world observations. This information can then be used as the basis for the foundation of the development of threat models and methodologies for the cybersecurity product/service community, the private sector and government use. More information on the MITRE ATT&CK matrix can be found here.
Dangers of abuse of system features
Before we discuss this attack technique, we must first discuss what makes it so dangerous. This attack technique is considered an “abuse of system features” technique.
What this means is that the attacker or malicious hacker is leveraging the inherent features of the compromised system against itself. It is sort of like jujitsu or judo, where the opponent’s inherent quality (weight, lack of balance, forward momentum and so on) is used against the opponent.
A little about input capture
The goal of the input capture attack technique is to obtain valid account credentials on the target system and other sensitive user information that may assist in the attack campaign. The most widespread input capture tool are keyloggers that have the capability of logging every key input into a compromised system. Other methods of input capture include installing malicious code on externally-oriented ports, malware including Trojans with key-recording capabilities, and inbuilt keylogging features on proprietary attack tools.
Regardless of how input is captured, the result is the same: information is collected for a specific reason against the knowledge of the impacted user.
The best way to examine the different methods of input capture used by attackers is to look at real-world examples. They show the different ways input capture is approached by attackers and will give you the best idea of what to expect when faced with the input capture attack technique in real life.
Without further ado, let’s explore some of these examples.
Real-world examples of input capture
As mentioned earlier, keyloggers are the most prevalent tool for input capture. Most of these examples do not use a dedicated keylogger per se, but rather use a proprietary attacker tool that contains either a keylogging feature or module that performs the key logging. The following list represents some of the different methods to accomplish input capture.
DarkHotel is an attack group that has been around since 2004. It mainly targets hotel and business center Wi-Fi and physical internet connections. The group has been known to use a keylogger in their attack campaigns and represents the most basic input capture method — a standalone, dedicated keylogger.
Bandook is a remote access tool (RAT) that offers keylogging capabilities. Keylogging is inbuilt and is just one of the many features available for this RAT. Bandook represents the classic remote access tool with the proverbial Swiss Army knife-style array of features, including input capture.
GreyEnergy refers to both the attack group and family of malware used by the group. Targeting mostly systems in Ukraine, this malware has a keylogging module that allows for capturing every key entered on a compromised system.
This credential stealer is exclusively used by Threat Group-3390 and has been deployed to Microsoft Exchange servers. OwaAuth captures user credentials, DES-encrypts them with the key 12345678 and saves these captured credentials to a log file on the compromised system.
The most difficult thing to deal with regarding the input capture attack technique is that it is an “abuse of system feature” tactic. What this means is that unless the user is willing to give up using the feature (good luck with giving up inputting information into a system!), mitigating this attack technique is nearly impossible.
When keyloggers are used, there are some signs that occur that should tip off a sharp administrator to their use. These signs include:
- Registry and file system modification
- Unexpected driver installation
- Polling to intercept keystrokes
- Addition of a custom credential provider in the registry
- Use of certain API calls, especially SetWindowsHook, GetKeyState and GetAsyncKeyState (may provide valuable behavioral data)
Input capture is an attack technique listed in the MITRE ATT&CK matrix and can be the proverbial bread-and-butter of an attack campaign, as this technique can literally record every key input entered into a compromised system. This is performed normally with either a keylogger or a keylogging feature/module included in an attack tool.
The most difficult thing to deal with is the fact that this attack technique abuses system features. But by proactively monitoring for the signs enumerated above, this attack may be easier to track down than their respective attacker masterminds would like.