This article discusses hotkey-based keyloggers, emphasizing their methods of operation and detection techniques. It details how these keyloggers abuse the RegisterHotKey function in Windows to intercept keystrokes and introduces a detection tool leveraging undocument hotkey data in kernel space. Affected: Windows, cyber security sector
Keypoints :
- Hotkey-based keyloggers can capture keystrokes using custom registered hotkeys via the RegisterHotKey API.
- The detection technique utilizes an undocumented kernel data structure called gphkHashTable to find registered hotkeys.
- Event Tracing for Windows (ETW) does not monitor the RegisterHotKey API, requiring alternative detection methods.
- Implementing a device driver is necessary to access kernel space and scan for registered hotkeys.
- The detection tool alerts users if a suspicious number of alphanumeric keys are registered, indicating a potential keylogger.
MITRE Techniques :
- T1056 β Input Capture: This keylogger captures keystrokes via registered hotkeys, simulating regular keypresses to remain stealthy.
- T1086 β PowerShell: Not directly applicable in this context, but may be used alongside hotkey-based detection strategies for monitoring.
Indicator of Compromise :
- [Domain] github.com
- [File] DEMO_VIDEO.mp4
Full Story: https://www.elastic.co/security-labs/detecting-hotkey-based-keyloggers