Uncommon SetWindowsHookEx API invocation of a possible keylogger

Cortex XDR Analytics Alert Reference by data source

Product
Cortex XDR
Last date published
2024-12-03
Category
Analytics Alert Reference
Order
data source

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent with eXtended Threat Hunting (XTH)

Detection Modules

Detector Tags

ATT&CK Tactic

ATT&CK Technique

Input Capture: Keylogging (T1056.001)

Severity

Medium

Description

A process installed a Windows desktop hook by calling the SetWindowsHookEx API function with an unpopular module. This behavior is commonly seen in keyloggers.

Attacker's Goals

Attackers can monitor keyboard events as another way for credential gathering or to collect more user data over time for espionage purposes.

Investigative actions

  • Check if the process has a user interface (a visible window).
  • Check if the process has an option to set or modify keyboard hot-keys.
  • Check if the process is part of a remote control tool.
  • Check if the process is a known user application that was updated recently.
  • Check if the process is built with AutoHotkey and is known to the user.
  • If the process is a scripting engine or a hosting executable, check the actor process command line.
  • Investigate the endpoint if the process writes files to disk.