Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0102: Behavioral Detection of Input Capture Across Platforms

DET0102 is a MITRE detection strategy for identifying behavioral signs of Input Capture, a technique used to collect credentials or other user-entered info...

EnterpriseDET0102Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0102 is a MITRE detection strategy for identifying behavioral signs of Input Capture, a technique used to collect credentials or other user-entered information. Its business value is that input capture can undermine identity assurance even when accounts and applications appear to be functioning normally. Because the ATT&CK object has no official detection narrative, teams should treat it as a validation prompt: confirm whether SOC, endpoint, identity, and network monitoring can surface suspicious input-capture behavior across the environments where T1056 is relevant.

Executive priority

Prioritize this as an identity and incident-response readiness issue. Input Capture is associated with credential access and collection, so missed telemetry can lead to weak evidence during account compromise investigations and delayed containment decisions. Leaders should ask whether monitoring covers the operating systems and device classes tied to T1056—Linux, macOS, Windows, and network devices—and whether detection engineering has documented what evidence would prove or disprove input-capture activity during an incident.

Technical view

This detection strategy detects T1056 Input Capture, which is mapped to credential-access and collection tactics. Since DET0102 does not provide an official detection body, SOC and detection teams should build validation around behavior rather than a single indicator. Confirm visibility into processes, user sessions, authentication prompts, browser or portal interactions where available, and security events that could support investigation of credential or input collection. IR teams should predefine triage questions: what user input may have been exposed, which accounts were active, which systems or portals were involved, and whether the observed behavior aligns with legitimate software or administrative tooling.

Likely telemetry

  • Endpoint process and command execution telemetry from systems in scope for T1056
  • User session and login activity records
  • Identity and authentication logs related to credential use before and after suspected input capture
  • Browser, web portal, or application access logs where credential-entry workflows are relevant
  • Network device administrative access logs where supported

Detection direction

  • Validate that detections are tied to T1056-relevant tactics: credential access and collection, not only generic malware alerts.
  • Tune for behavioral patterns that indicate user input or credential collection while accounting for legitimate administrative, accessibility, remote support, or security software that may observe input-related activity.
  • Correlate endpoint observations with identity events to distinguish input-capture suspicion from normal failed logins, password resets, or help-desk activity.
  • Check blind spots across the related platforms listed for T1056: Linux, macOS, Windows, and network devices. DET0102 itself does not specify platform coverage, so local telemetry determines actual visibility.
  • Require incident playbooks to capture enough evidence to assess potential credential exposure, affected users, and required credential rotation or session revocation.

Mitigation priorities

  • Start with visibility: inventory where user credentials and sensitive inputs are entered and confirm that logs from those systems are available to the SOC.
  • Prioritize identity safeguards that reduce the business impact of captured credentials, such as strong authentication and rapid account/session response processes, without assuming they prevent all input capture.
  • Harden and monitor endpoints and administrative access paths associated with credential entry and network device management.
  • Document response criteria for suspected input capture, including account risk review, credential reset decisions, and preservation of forensic evidence.
  • Use the strategy as compliance and assurance evidence only after confirming local detections, logging retention, and response procedures are tested.
Analyst notes and limits

The supplied ATT&CK object is sparse: it provides the strategy name and relationship to T1056 but no official description, detection text, platforms, or tactics for the detection strategy itself. The strongest supported interpretation is that DET0102 should guide behavioral detection planning for Input Capture rather than serve as a ready-made analytic.

This take is constrained to the provided STIX fields, external reference, and relationship context. It does not assert active exploitation, adversary attribution, guaranteed detection, or specific tool coverage. Local environment architecture, endpoint/identity logging, and incident evidence are required to determine actual defensive coverage.

Official MITRE ATT&CK definition

Behavioral Detection of Input Capture Across Platforms

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1056 Input Capture This object detects Input Capture.
Relationship explorer

All related ATT&CK context

detects · Technique T1056: Input Capture Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
65e72f8d36737410...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 65e72f8d3673…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0102
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use