ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™Insider Threat Matrix™
  • ID: IF027.003
  • Created: 01st October 2025
  • Updated: 23rd October 2025
  • Platforms: WindowsLinuxMacOSiOSAndroidAmazon Web Services (AWS)Microsoft AzureGoogle Cloud Platform (GCP)Oracle Cloud Infrastructure (OCI)
  • MITRE ATT&CK®: T1056.001
  • Contributor: The ITM Team

Keylogger Deployment

The subject deploys software designed to record keystrokes entered on an endpoint to capture credentials, sensitive communications, internal documentation, or intellectual property. Keyloggers may be introduced as standalone binaries, embedded within otherwise legitimate tools, or configured through dual-use frameworks (e.g. C++ dropper with keylogging module). In insider scenarios, the deployment is typically local and deliberate, leveraging the subject’s physical access or assigned privileges to bypass existing controls.

 

Keyloggers operate in one of several modes:

 

  • Kernel-based: Install drivers or hook low-level keyboard input APIs (e.g. Kbdclass.sys) to intercept inputs pre-OS.
  • User-mode: Hook Windows APIs (SetWindowsHookEx, GetAsyncKeyState, GetForegroundWindow) to log input tied to active processes or windows.
  • Form grabbers: Intercept browser or GUI form submissions, often bypassing SSL/TLS encryption by logging data pre-submission.
  • Clipboard and screen scrapers: Supplement keylogging with capture of copied content and screenshots for contextual awareness.

 

Captured data is typically stored in encrypted local files (e.g. %TEMP%, %APPDATA%, or hidden directories), periodically exfiltrated via email, FTP, HTTP POST, or external storage.