Security Research Team

Notes on Keylogging via ETW

keylogging Since our first post announcing our ETW USB Keylogger from our Ruxcon talk, we've been getting a lot of questions about our work (which we greatly appreciate!). One of the questions we've been asked is how to extract keystrokes from USB data using ETW so we wanted to share some of our notes and disclose some of the "lessons learned" during our analysis and development.

USB Keyboard Basics

If you are new to the USB protocol (like us) the first thing you'll likely notice is USB keyboards (and USB devices in general) are VERBOSE. There will be a huge number of USB "packets" or URBs (USB Request Blocks: https://msdn.microsoft.com/en-us/library/windows/hardware/ff537056(v=vs.85).aspx) coming from a keyboard at a rate defined by the device. This is known as the keyboard's polling rate. It's important to remember that USB keyboards are not interrupt-based but rather they poll for data. Polling frequencies in USB keyboards vary but are usually somewhere around 125Hz which means that every 8ms or so, depending on the device, the keyboard will transmit the keyboard state which equates to 300-400 bytes (when using ETW).

Read more »

Sniffing USB Keystrokes from PowerShell Empire via ETW

November 10, 2016 by SRT Team

ETW We're happy to announce our ETW keylogger POC code from our talk at Ruxcon 2016 (slides here: https://ruxcon.org.au/assets/2016/slides/ETW_16_RUXCON_NJR_no_notes.pdf) has been turned into a PowerShell Empire module: https://github.com/CyberPoint/ETWKeyLogger_PSE

Due to PowerShell's close relationship with .NET/CLR PowerShell Empire (http://www.powershellempire.com/), it was…

Continue reading

Logging Keystrokes with Event Tracing for Windows (ETW)

October 22, 2016 by SRT Team

ETW As a follow-up to our talk at Ruxcon, "Make ETW Great Again", we wanted to go into a bit more depth than we could cover in our hour long talk. While our talk consisted of multiple examples of ETW usage, detecting ransomware, USB Keylogging, and sniffing SSL encrypted data from WinINet (our code can be found here: https://github.com/CyberPoint/Ruxcon2016ETW), we wanted to specifically discuss USB Keylogging here.

Continue reading

Deploying a Distributed Honeypot Network

Posted October 4, 2016 by SRT Team

It's a system that houses Dockerized containers of some of the most popular open source honeypots such as Suricata, Honeytrap, Cowrie, Glastopf, and Dionaea. While there are plenty of other open source honeypots out there, this list makes for a solid foundation for a new honeypot setup (or a great addition to an existing one).

Continue reading

GUNSEN: Powering A Fuzzer on Commodity Hardware

Posted July 22, 2016 by SRT Team

It was the best of timelines (the other was the worst of timelines…) Greg Linares of CyberPoint's SRT (Security Research Team) recently had one of the vulnerabilities he discovered patched by the vendor, Microsoft.

Continue reading

Vulnerability Response: A Tale of Two Vendors

Posted February 10, 2016 by SRT Team

It was the best of timelines (the other was the worst of timelines…) Greg Linares of CyberPoint's SRT (Security Research Team) recently had one of the vulnerabilities he discovered patched by the vendor, Microsoft.

Continue reading

har buff[100]; sprintf(buff, "Hello World! %s", argv[1]);"

Posted January 15, 2016 by SRT Team

It's with great pleasure and humility that we announce the formation of our new group: the CyberPoint Security Research Team (or, as we call it around the office, SRT).

Continue reading

Follow us on Twitter!

@CyberPoint_SRT

Interested?

Have questions for the SRT team or want to learn more?

Contact Us

Share

If you like SRT and think others would too, we'd appreciate it if you would spread the word!