Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0089: Behavioral Detection of Keylogging Activity Across Platforms

This detection strategy matters because it is intended to surface behavior associated with keylogging, a credential-access and collection technique. For le...

EnterpriseDET0089Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This detection strategy matters because it is intended to surface behavior associated with keylogging, a credential-access and collection technique. For leaders, the practical issue is not just malware on an endpoint; it is the possibility that valid credentials are captured over time and later used to expand access. Because the ATT&CK strategy entry itself has no official description, detection text, tactics, or platforms, teams should treat it as a prompt to validate coverage against the related ATT&CK technique T1056.001 rather than as a complete detection specification.

Executive priority

Prioritize this as an identity and incident-response readiness issue. Keylogging can undermine password-based controls and may create delayed compromise risk if captured credentials are reused after the initial host investigation. Security leaders should ask whether SOC monitoring, endpoint visibility, and credential reset playbooks are coordinated when keylogging is suspected, especially across the related technique platforms: Linux, macOS, Network Devices, and Windows.

Technical view

The supplied detection strategy has no official detection logic, so SOC and detection engineering teams should map local analytics to the related technique, T1056.001 Keylogging, under collection and credential-access. Validate whether telemetry can show suspicious input-capture behavior, processes interacting with user input paths, persistence of suspicious tooling, and follow-on credential use. IR teams should pair host investigation with identity review because the related technique description emphasizes interception of credentials as users type them, potentially over a substantial period.

Likely telemetry

  • Endpoint process execution and parent-child process context
  • Endpoint file, module, driver, or persistence-related activity where available
  • OS security and audit logs relevant to user sessions and input-access behavior
  • EDR alerts or behavioral detections associated with input capture or suspicious credential collection
  • Identity authentication logs for follow-on use of potentially captured credentials

Detection direction

  • Do not assume coverage from the ATT&CK detection strategy alone; the official detection field is not provided.
  • Validate detections against the related technique T1056.001 and its tactics: collection and credential-access.
  • Tune for behavioral context rather than names alone, because the related technique notes many different ways of intercepting keystrokes.
  • Correlate endpoint findings with identity telemetry to identify possible post-capture credential use.
  • Account for false positives from legitimate accessibility, remote administration, security, or input-management software before escalating.

Mitigation priorities

  • Strengthen endpoint monitoring and response coverage on systems where credential entry occurs.
  • Ensure incident playbooks require credential resets, session review, and authentication log review when keylogging is suspected.
  • Reduce credential value through phishing-resistant or multi-factor authentication where applicable, while recognizing that this object does not provide a specific mitigation list.
  • Limit unnecessary local privilege and software installation paths that could support unauthorized input-capture tooling.
  • Maintain evidence for audit and compliance by documenting what telemetry is collected, retained, and reviewed for credential-access investigations.
Analyst notes and limits

This Glexia take is based on the detection strategy object DET0089 and its relationship to ATT&CK technique T1056.001 Keylogging. The source object is sparse: it provides a name and relationship context but no official description, no official detection text, no tactics, and no platforms for the detection strategy itself. The related technique supplies the business and technical context: keylogging is associated with credential access and collection, and may be used to capture credentials over time.

No active exploitation, attribution, prevalence beyond the supplied related technique wording, or guaranteed detection coverage is asserted. Local validation is required to determine whether the organization collects the necessary endpoint and identity telemetry and whether existing analytics cover the relevant operating environments.

Official MITRE ATT&CK definition

Behavioral Detection of Keylogging Activity Across Platforms

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1056.001 Keylogging Sub-technique This object detects Keylogging.
Relationship explorer

All related ATT&CK context

detects · Technique T1056.001: Keylogging Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
ebe29f99fe09c6b4...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle ebe29f99fe09…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0089
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use