Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0687: Analytic 0687

Behavior chain involving unexpected API calls to capture keyboard input, driver loads for keyloggers, or remote use of smart card authentication via logon sessions not initiated by local user interaction

EnterpriseAN0687AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic points to Windows behaviors associated with capturing keyboard input or abusing smart card authentication outside normal local user interaction. For leaders, the practical concern is credential and authentication integrity: if keyboard capture or unexpected smart card logon activity is missed, attackers may obtain secrets or use authenticated sessions in ways that undermine incident containment, audit confidence, and identity controls.

Executive priority

Prioritize this as an identity and endpoint visibility validation item rather than a standalone control. Security leaders should ask whether Windows endpoint telemetry can show unusual keyboard-input capture APIs, suspicious driver loads consistent with keylogging, and smart card logon sessions that do not align with local user activity. This matters for incident response readiness, privileged access assurance, and audit evidence around authentication monitoring.

Technical view

The supplied ATT&CK analytic is Windows-focused and describes a behavior chain: unexpected API calls to capture keyboard input, driver loads for keyloggers, or remote use of smart card authentication through logon sessions not initiated by local user interaction. SOC and detection engineering teams should validate whether they can correlate endpoint process activity, API-related signals where available, driver load events, logon/session context, and smart card authentication records. No official detection logic or relationship context was supplied, so implementation should be locally engineered and tested against expected administrative tools, accessibility software, endpoint agents, and legitimate smart card workflows.

Likely telemetry

  • Windows endpoint process and module/activity telemetry
  • Driver load events and kernel driver inventory
  • Authentication and logon session records
  • Smart card authentication events where available
  • User interaction or session context indicating local versus remote initiation

Detection direction

  • Validate visibility for unusual or unexpected keyboard input capture behavior on Windows endpoints; tune against legitimate accessibility, remote support, and enterprise management software.
  • Monitor driver loads for unusual, unsigned, newly introduced, or rarely observed drivers, especially when correlated with processes or sessions that suggest credential capture risk.
  • Correlate smart card logon activity with session origin and evidence of local user interaction to identify remote or anomalous use patterns.
  • Use behavior-chain correlation where possible rather than a single indicator, because API calls, drivers, and smart card logons can each have legitimate explanations.
  • Document telemetry gaps explicitly, since the ATT&CK object provides no official detection logic.

Mitigation priorities

  • Ensure Windows endpoint logging and EDR coverage are sufficient to support investigation of process behavior, driver loads, and authentication sessions.
  • Harden driver control practices, including review and restriction of untrusted or unnecessary drivers where organizational policy allows.
  • Review smart card authentication workflows, especially privileged and remote access use cases, to ensure expected session patterns are understood and monitored.
  • Maintain allowlists or baselines for legitimate accessibility tools, remote support utilities, security agents, and administrative software that may interact with keyboard input or sessions.
  • Include these behaviors in incident response playbooks for suspected credential capture or anomalous smart card authentication.
Analyst notes and limits

This is a detection analytic object, not a technique object, and no tactics, official detection logic, labels, aliases, or relationships were supplied. The strongest use is as a coverage-validation prompt for Windows endpoint, identity, and SOC teams. Local baselining is essential because several described behaviors may occur in legitimate software and administrative workflows.

The source fields do not provide detection pseudocode, data source mappings, related ATT&CK techniques, adversary use, impact, or mitigation text. Any production detection or risk rating requires local telemetry, asset criticality, authentication architecture, and known-good software baselines.

Official MITRE ATT&CK definition

Analytic 0687

Behavior chain involving unexpected API calls to capture keyboard input, driver loads for keyloggers, or remote use of smart card authentication via logon sessions not initiated by local user interaction

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
0c321ea2c1f7980e...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 0c321ea2c1f7…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0687
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use