Query Details

Rule : Detection of GetAsyncKeyState API Call

Get Async Key State Api Call Query

Query

DeviceEvents
| where ActionType == "GetAsyncKeyStateApiCall"
| where InitiatingProcessVersionInfoFileDescription != "Adobe Acrobat"
| where InitiatingProcessVersionInfoProductName != "QuickTime"
| where InitiatingProcessVersionInfoCompanyName != "Adobe Systems Incorporated"
| where InitiatingProcessVersionInfoCompanyName != "MAXON Computer GmbH"
| where InitiatingProcessVersionInfoCompanyName != "Adobe"

About this query

Explanation

This query is designed to detect potentially suspicious use of the GetAsyncKeyState API call, which is often associated with keylogging activities. Keylogging is a technique used by malicious software to capture keystrokes, potentially leading to unauthorized access to sensitive information.

Here's a simple breakdown of what the query does:

  1. Monitors Device Events: It looks at events related to device activities.

  2. Focuses on a Specific API Call: It specifically checks for events where the action type is GetAsyncKeyStateApiCall. This API call can be used to detect key presses and is often used by keyloggers.

  3. Excludes Known Legitimate Software: The query filters out events initiated by certain known legitimate software. It excludes:

    • Adobe Acrobat
    • QuickTime
    • Software from Adobe Systems Incorporated
    • Software from MAXON Computer GmbH
    • Other Adobe software

By excluding these known software products, the query aims to reduce false positives and focus on potentially malicious use of the GetAsyncKeyState API call. This helps in identifying suspicious activities that might indicate keylogging attempts, providing an early warning for potential security threats.

Details

Ali Hussein profile picture

Ali Hussein

Released: July 21, 2024

Tables

DeviceEvents

Keywords

DeviceEventsActionTypeInitiatingProcessVersionInfoFileDescriptionInitiatingProcessVersionInfoProductNameInitiatingProcessVersionInfoCompanyNameKeyloggingGetAsyncKeyStateInputCaptureAPICallMITREATT&CKSuspiciousActivity

Operators

DeviceEvents|where==!=

MITRE Techniques

Actions

GitHub