Rule : Detection of GetAsyncKeyState API Call
Get Async Key State Api Call Query
Query
DeviceEvents
| where ActionType == "GetAsyncKeyStateApiCall"
| where InitiatingProcessVersionInfoFileDescription != "Adobe Acrobat"
| where InitiatingProcessVersionInfoProductName != "QuickTime"
| where InitiatingProcessVersionInfoCompanyName != "Adobe Systems Incorporated"
| where InitiatingProcessVersionInfoCompanyName != "MAXON Computer GmbH"
| where InitiatingProcessVersionInfoCompanyName != "Adobe"About this query
Explanation
This query is designed to detect potentially suspicious use of the GetAsyncKeyState API call, which is often associated with keylogging activities. Keylogging is a technique used by malicious software to capture keystrokes, potentially leading to unauthorized access to sensitive information.
Here's a simple breakdown of what the query does:
-
Monitors Device Events: It looks at events related to device activities.
-
Focuses on a Specific API Call: It specifically checks for events where the action type is
GetAsyncKeyStateApiCall. This API call can be used to detect key presses and is often used by keyloggers. -
Excludes Known Legitimate Software: The query filters out events initiated by certain known legitimate software. It excludes:
- Adobe Acrobat
- QuickTime
- Software from Adobe Systems Incorporated
- Software from MAXON Computer GmbH
- Other Adobe software
By excluding these known software products, the query aims to reduce false positives and focus on potentially malicious use of the GetAsyncKeyState API call. This helps in identifying suspicious activities that might indicate keylogging attempts, providing an early warning for potential security threats.
Details

Ali Hussein
Released: July 21, 2024
Tables
Keywords
Operators