AN0282: Analytic 0282
Monitors for abnormal process behavior and API calls like SetWindowsHookEx, GetAsyncKeyState, or device input polling commonly used for keystroke logging.
Analyst context for executives and security teams
AN0282 is a Windows-focused detection analytic for spotting behavior commonly associated with keystroke logging: unusual process activity and calls to input-monitoring APIs such as SetWindowsHookEx, GetAsyncKeyState, or device input polling. For leaders, the value is not just catching a specific tool; it is validating whether the organization can see software attempting to capture user input, which can put credentials, sensitive data, and privileged sessions at risk.
Executive priority
Prioritize this as an identity and incident-response readiness question: can the SOC prove it has Windows endpoint visibility into suspicious input-capture behavior, and can responders quickly determine whether credential exposure may have occurred? This analytic can support control assurance and audit evidence around endpoint monitoring, but the supplied ATT&CK object does not provide a complete detection logic, tactic mapping, or relationship context, so local validation is required before treating it as coverage.
Technical view
SOC and detection engineering teams should validate Windows telemetry for abnormal process behavior involving input-monitoring APIs named in the object: SetWindowsHookEx, GetAsyncKeyState, and device input polling. Since the official detection field is not provided, teams should build or review analytics that correlate API-level behavior with process context, parent-child relationships, user context, signing/reputation, execution path, and frequency or rarity. IR teams should prepare triage steps that assess whether suspicious input-capture behavior could have exposed credentials or sensitive user activity.
Likely telemetry
- Windows endpoint detection and response telemetry
- Process creation and process lineage data
- API call or behavioral telemetry for SetWindowsHookEx and GetAsyncKeyState
- Device input polling or user-input monitoring signals where available
- File path, code signing, hash, and process reputation metadata
Detection direction
- Confirm whether endpoint tooling records API-level or behavioral signals for Windows input monitoring; many environments collect process events but not enough API context for this analytic.
- Tune detections around abnormality and context rather than API presence alone, because legitimate accessibility tools, hotkey managers, remote support software, security tools, and productivity utilities may monitor input.
- Correlate suspicious input monitoring with unusual process ancestry, unsigned or uncommon binaries, unexpected user locations, persistence, or credential-access investigation context where available.
- Validate alert triage workflows for credential exposure assessment, because keystroke logging behavior may require password reset or session revocation decisions even when malware attribution is unknown.
- Document gaps where telemetry does not expose SetWindowsHookEx, GetAsyncKeyState, or device input polling behavior.
Mitigation priorities
- Start by ensuring managed endpoints have telemetry capable of observing suspicious Windows input-monitoring behavior.
- Apply least privilege and application control practices to reduce the chance that unapproved software can run and monitor user input.
- Harden endpoint configuration and maintain EDR coverage for systems used by privileged users or handling sensitive data.
- Prepare IR playbooks for suspected keystroke logging, including scope assessment, credential exposure review, and containment decision points.
- Use detection validation results as compliance and control-evidence input, but do not represent this analytic as complete coverage without local testing.
Analyst notes and limits
This object is a detection analytic, not a technique description. It provides a concise monitoring objective and named Windows APIs, but no official detection logic, tactics, aliases, labels, or relationship context. Treat it as a prompt for validating endpoint visibility and analytic quality rather than as a deployable rule.
The supplied ATT&CK fields only support Windows scope and the stated API/process-monitoring behavior. No active exploitation, actor usage, specific malware, impact, or guaranteed detection coverage is supported. Local telemetry, tool capability, baselining, and false-positive testing are required.
Analytic 0282
Monitors for abnormal process behavior and API calls like SetWindowsHookEx, GetAsyncKeyState, or device input polling commonly used for keystroke logging.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 10cd30c98f19… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0282Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.