Skip to content
Threat Feed
high advisory

PowerShell Keylogging Script Detection

This brief documents a high-severity threat involving PowerShell scripts used for keylogging on Windows systems to capture credentials and sensitive user input.

This threat brief addresses the use of PowerShell scripts for keylogging activities on Windows systems. The detection focuses on identifying script block content that incorporates Win32 keylogging primitives, such as key state polling and low-level input hooks. Keylogging is a common technique used by adversaries to capture sensitive information, including credentials, financial data, and personal communications. PowerShell's flexibility and ubiquity make it a popular choice for such activities. This detection is based on the Elastic detection rule "PowerShell Keylogging Script" updated as of March 30, 2026, and aims to provide detection engineers with actionable intelligence to identify and mitigate this threat. The references include known keylogging scripts like "Get-Keystrokes.ps1" from the Empire Project and "FunnyLogger.ps1."

Attack Chain

  1. Initial Access: An attacker gains initial access to the system through various means, such as phishing emails or exploiting vulnerabilities in applications.
  2. PowerShell Execution: The attacker executes a PowerShell script, either directly or by injecting it into an existing PowerShell process.
  3. Keylogging Function Invocation: The PowerShell script invokes Win32 API functions related to keylogging, such as GetAsyncKeyState, NtUserGetAsyncKeyState, GetKeyboardState, SetWindowsHookEx, SetWindowsHookExA, SetWindowsHookExW, or NtUserSetWindowsHookEx.
  4. Hook Installation: If using hooks, the script installs a low-level keyboard hook using functions like SetWindowsHookEx to monitor keystrokes.
  5. Keystroke Capture: The script captures keystrokes using the hook procedure or by polling the keyboard state. The script may use GetForegroundWindow, GetWindowTextA, or GetWindowTextW to label captured keystrokes with the active window title.
  6. Data Storage: The captured keystrokes are stored locally in a file or variable.
  7. Data Exfiltration: The script exfiltrates the captured keystrokes to a remote server via HTTP/HTTPS or other protocols. This step may involve encoding or encrypting the data to evade detection.
  8. Cleanup: The attacker may attempt to remove traces of the keylogging activity, such as deleting log files or removing the hook.

Impact

A successful keylogging attack can lead to the compromise of user credentials, financial information, and other sensitive data. This can result in financial loss, identity theft, and reputational damage. Organizations across various sectors, including finance, healthcare, and government, are at risk. The impact is magnified if the compromised credentials provide access to critical systems or data. Depending on the scope and duration of the keylogging activity, hundreds or thousands of users may be affected.

Recommendation

  • Enable PowerShell Script Block Logging and monitor for Event ID 4104 to capture the full content of PowerShell scripts.
  • Deploy the provided Sigma rules to your SIEM to detect PowerShell scripts that contain keylogging-related API calls or functions.
  • Investigate any alerts generated by the Sigma rules, focusing on the script content, process execution details, and network connections.
  • Implement application control policies to restrict the execution of unauthorized PowerShell scripts.
  • Educate users about phishing and other social engineering tactics used to deliver malicious PowerShell scripts.
  • Regularly review and update your PowerShell security policies to address emerging threats.

Detection coverage 2

Detect PowerShell Keylogging via GetAsyncKeyState

high

Detects PowerShell scripts using GetAsyncKeyState for keylogging.

sigma tactics: collection techniques: T1005 sources: process_creation, windows

Detect PowerShell Keylogging via SetWindowsHookEx

high

Detects PowerShell scripts setting Windows hooks for keylogging.

sigma tactics: collection techniques: T1005 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →