> For the complete documentation index, see [llms.txt](https://dmcxblue.gitbook.io/red-team-notes-2-0/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/credential-access/t1056-input-capture/keylogging.md). # Keylogging Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when OS Credential Dumping efforts are not effective, and may require an adversary to intercept keystrokes on a system for substantial period of time before credentials can be successfully captured. Keylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes. Some methods include: · Hooking API callbacks used for processing keystrokes. Unlike Credential API Hooking, this focuses solely on API functions intended for processing keystroke data. · Reading raw keystroke data from the hardware buffer. · Windows Registry modifications. · Custom drivers. · Modify System image may provide adversaries with hooks into the operating system of network devices to read raw keystrokes for login sessions. **Example:** In this Demo I will use a simple PowerShell Keylogger. To demonstrate that though this technique is very well known it is still reliable in it's ow way, and with the implementation of using PowerShell this can be run completely in memory. We just need to be aware that this script will log the keystrokes but will create a file on Disk with all the inputs. This needs to be cancelled so the file is created. We will import the script into out PowerShell session and start running the module. ![](/files/-MRkfrd7niuc55u5tmqg) Once we cancel a notepad will open with all the keystrokes done during the time running. ![](/files/-MRkfsJEvaPEMkplU1P_) Of course this isn't OPSEC Safe but it is a simple demonstration of a Keylogger, there are many varieties of this technique out there written in many languages (C, C++, C#, ETC) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/credential-access/t1056-input-capture/keylogging.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.