| ID | Name |
|---|---|
| ATAGS-T1117.001 | Credential API Hooking |
| ATAGS-T1117.002 | GUI Input Capture |
| ATAGS-T1117.003 | Keylogging |
| ATAGS-T1117.004 | Web Portal Capture |
Threat Actors may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when OS Credential Dumping efforts are not effective, and may require Threat Actors to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured. In order to increase the likelihood of capturing credentials quickly, Threat Actors may also perform actions such as clearing browser cookies to force users to reauthenticate to systems.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.