Esc
Input Capture - T1056
(ATT&CK® Technique)
Definition
Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture).
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1056["Input Capture"] --> |accesses| GraphicalUserInterface["Graphical User Interface"]; class T1056 OffensiveTechniqueNode;
class GraphicalUserInterface ArtifactNode; click GraphicalUserInterface href "/dao/artifact/d3f:GraphicalUserInterface";
click T1056 href "/offensive-technique/attack/T1056/"; click GraphicalUserInterface href "/dao/artifact/d3f:GraphicalUserInterface"; T1056["Input Capture"] --> |accesses| KeyboardInputDevice["Keyboard Input Device"]; class T1056 OffensiveTechniqueNode;
class KeyboardInputDevice ArtifactNode; click KeyboardInputDevice href "/dao/artifact/d3f:KeyboardInputDevice";
click T1056 href "/offensive-technique/attack/T1056/"; click KeyboardInputDevice href "/dao/artifact/d3f:KeyboardInputDevice"; T1056["Input Capture"] --> |may-modify| ProcessCodeSegment["Process Code Segment"]; class T1056 OffensiveTechniqueNode;
class ProcessCodeSegment ArtifactNode; click ProcessCodeSegment href "/dao/artifact/d3f:ProcessCodeSegment";
click T1056 href "/offensive-technique/attack/T1056/"; click ProcessCodeSegment href "/dao/artifact/d3f:ProcessCodeSegment"; T1056["Input Capture"] --> |modifies| WebServerApplication["Web Server Application"]; class T1056 OffensiveTechniqueNode;
class WebServerApplication ArtifactNode; click WebServerApplication href "/dao/artifact/d3f:WebServerApplication";
click T1056 href "/offensive-technique/attack/T1056/"; click WebServerApplication href "/dao/artifact/d3f:WebServerApplication"; ProcessSegmentExecutionPrevention["Process Segment Execution Prevention"] -->
| neutralizes | ProcessCodeSegment["Process Code Segment"];
ProcessSegmentExecutionPrevention["Process Segment Execution Prevention"] -.->
| may-harden | T1056["Input Capture"] ;
class ProcessSegmentExecutionPrevention DefensiveTechniqueNode;
class ProcessCodeSegment ArtifactNode;
click ProcessSegmentExecutionPrevention href "/technique/d3f:ProcessSegmentExecutionPrevention"; SegmentAddressOffsetRandomization["Segment Address Offset Randomization"] -->
| obfuscates | ProcessCodeSegment["Process Code Segment"];
SegmentAddressOffsetRandomization["Segment Address Offset Randomization"] -.->
| may-harden | T1056["Input Capture"] ;
class SegmentAddressOffsetRandomization DefensiveTechniqueNode;
class ProcessCodeSegment ArtifactNode;
click SegmentAddressOffsetRandomization href "/technique/d3f:SegmentAddressOffsetRandomization"; IOPortRestriction["IO Port Restriction"] -->
| filters | KeyboardInputDevice["Keyboard Input Device"];
IOPortRestriction["IO Port Restriction"] -.->
| may-isolate | T1056["Input Capture"] ;
class IOPortRestriction DefensiveTechniqueNode;
class KeyboardInputDevice ArtifactNode;
click IOPortRestriction href "/technique/d3f:IOPortRestriction"; ProcessCodeSegmentVerification["Process Code Segment Verification"] -->
| verifies | ProcessCodeSegment["Process Code Segment"];
ProcessCodeSegmentVerification["Process Code Segment Verification"] -.->
| may-detect | T1056["Input Capture"] ;
class ProcessCodeSegmentVerification DefensiveTechniqueNode;
class ProcessCodeSegment ArtifactNode;
click ProcessCodeSegmentVerification href "/technique/d3f:ProcessCodeSegmentVerification"; SoftwareUpdate["Software Update"] -->
| updates | WebServerApplication["Web Server Application"];
SoftwareUpdate["Software Update"] -.->
| may-harden | T1056["Input Capture"] ;
class SoftwareUpdate DefensiveTechniqueNode;
class WebServerApplication ArtifactNode;
click SoftwareUpdate href "/technique/d3f:SoftwareUpdate"; ServiceBinaryVerification["Service Binary Verification"] -->
| verifies | WebServerApplication["Web Server Application"];
ServiceBinaryVerification["Service Binary Verification"] -.->
| may-detect | T1056["Input Capture"] ;
class ServiceBinaryVerification DefensiveTechniqueNode;
class WebServerApplication ArtifactNode;
click ServiceBinaryVerification href "/technique/d3f:ServiceBinaryVerification"; RestoreSoftware["Restore Software"] -->
| restores | WebServerApplication["Web Server Application"];
RestoreSoftware["Restore Software"] -.->
| may-restore | T1056["Input Capture"] ;
class RestoreSoftware DefensiveTechniqueNode;
class WebServerApplication ArtifactNode;
click RestoreSoftware href "/technique/d3f:RestoreSoftware"; InputDeviceAnalysis["Input Device Analysis"] -->
| analyzes | KeyboardInputDevice["Keyboard Input Device"];
InputDeviceAnalysis["Input Device Analysis"] -.->
| may-detect | T1056["Input Capture"] ;
class InputDeviceAnalysis DefensiveTechniqueNode;
class KeyboardInputDevice ArtifactNode;
click InputDeviceAnalysis href "/technique/d3f:InputDeviceAnalysis"; MemoryBoundaryTracking["Memory Boundary Tracking"] -->
| analyzes | ProcessCodeSegment["Process Code Segment"];
MemoryBoundaryTracking["Memory Boundary Tracking"] -.->
| may-detect | T1056["Input Capture"] ;
class MemoryBoundaryTracking DefensiveTechniqueNode;
class ProcessCodeSegment ArtifactNode;
click MemoryBoundaryTracking href "/technique/d3f:MemoryBoundaryTracking";