Collection, Indicators of Keylogging through powershell
Power Shell Key Logging
Query
DeviceEvents
| where ActionType contains "PowerShellCommand"
| extend parsed = parse_json(AdditionalFields)
| where parsed.Command contains "GetAsyncKeyState" or parsed.Command contains "NtUserGetAsyncKeyState" or parsed.Command contains "GetKeyboardState" or parsed.Command contains "Get-Keystrokes" or parsed.Command contains"SetWindowsHook" or parsed.Command contains "NtUserSetWindowsHook"
or parsed.Command contains "GetWindowText" or parsed.Command contains "GetForegroundWindow"
| where InitiatingProcessParentFileName !in ("MicrosoftDependencyAgent.exe","slack.exe","MonitoringHost.exe","Slack.exe")
| where InitiatingProcessVersionInfoProductName != @"Microsoft Monitoring Agent"Explanation
This query looks for indicators of keylogging through PowerShell commands on a device. It checks for specific commands related to keylogging and filters out certain known processes that are not relevant. The goal is to detect any suspicious activity that could indicate keylogging behavior.
