← Back to Explore
T1056
Input Capture
Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004)) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. [Web Portal Capture...
LinuxmacOSNetwork DevicesWindows
7
Detections
2
Sources
3
Threat Actors
BY SOURCE
5elastic2sigma
PROCEDURES (5)
Credential2 detections
Auto-extracted: 2 detections for credential
Credential2 detections
Auto-extracted: 2 detections for credential
Service Monitoring1 detections
Auto-extracted: 1 detections for service monitoring
Process Creation Monitoring1 detections
Auto-extracted: 1 detections for process creation monitoring
Credential1 detections
Auto-extracted: 1 detections for credential
THREAT ACTORS (3)
DETECTIONS (7)
DNS Query Request To OneLaunch Update Service
sigmalow
Potential SSH Password Grabbing via strace
elasticmedium
Potential Sudo Hijacking
elasticmedium
PowerShell Keylogging Script
elastichigh
Prompt for Credentials with Osascript
elastichigh
Suspicious Network Communication With IPFS
sigmalow
Suspicious pbpaste High Volume Activity
elasticmedium