What Is a Keylogger? Types and Detection

A keylogger does one thing, and it does it patiently: it records every key a user presses, then hands that record to whoever planted it. No exploit chain, no privilege escalation, no lateral movement is required to read a password. The user types it. The tool writes it down. The DarkHotel campaign built a whole espionage operation on that idea, dropping keystroke loggers onto executives through compromised hotel Wi-Fi portals, recording what they typed, then deleting itself to leave no trace. The target never clicked a malicious attachment. They connected to the internet and started working.

A keylogger is software or hardware that captures keyboard input. A keylogger attack is the use of one to steal what a victim types: credentials, payment card numbers, message contents, anything that passes through a keyboard. This guide covers what a keylogger is, the hardware and software types you will actually encounter, how attackers install and use them, how keylogging maps to MITRE ATT&CK, and the artifacts that give one away. It is written for the people who have to find one on a host they own: SOC analysts, threat hunters, and DFIR responders.

What is a keylogger?

A keylogger, short for keystroke logger, is a tool that records the keys pressed on a device and stores or transmits that record. The malicious version captures keystrokes without the user's knowledge and sends them to an attacker. The defining trait is interception of input before any application or website ever sees it, which is what makes it so effective against passwords: it reads the secret as it is typed, before encryption, before masking, before the login form submits.

Not every keylogger is criminal. The technology has legitimate uses: parental monitoring, employee-activity tracking on company devices, and IT troubleshooting that needs to reproduce exactly what a user did. The mechanism is identical in both cases. What changes is consent and intent. A keylogger installed without the user's knowledge, to take data that is not the installer's to take, is the attack. The same binary that a help desk uses to debug an input bug is, dropped by an intruder, a credential harvester.

A keylogger is rarely the whole attack. It is a collection tool, one stage of a larger intrusion. Something has to deliver it: a phishing email, a malicious script on a web page, a software bundle the user installed, or hands-on physical access. Once running, it sits quietly and harvests. Then a second mechanism, a command and control channel, carries the stolen keystrokes back out. The tool gets the secret. The channel gets it home.

This is also why keyloggers are a favorite of both commodity crime and targeted espionage. A banking trojan uses one to lift online-banking credentials at scale. A nation-state operator uses one to read a specific executive's email as they compose it. The tool is the same. The patience and the targeting differ.

Types of keyloggers

Keyloggers split first by whether they are physical or software, and software keyloggers split again by where in the stack they hook input. Where one sits determines what it can see and how you find it.

Hardware keyloggers. A hardware keylogger is a physical device that sits between the keyboard and the computer, or inside the keyboard itself. The classic form is a small inline connector on a USB or PS/2 cable that logs keystrokes to onboard memory. Others hide inside the keyboard housing, masquerade as a USB charging adapter, or capture the wireless signal from a wireless keyboard. They require physical access to install and usually physical access to retrieve, which limits them to insider threats, evil-maid scenarios, and targeted operations. They leave no file on disk and no process in memory, so endpoint software never sees them. The only reliable detection is a physical inspection of the machine.

Software keyloggers. A software keylogger is a program that intercepts keystrokes from the operating system. This is the type a SOC meets, because it can be delivered remotely at scale and needs no physical access. Software keyloggers differ by how they capture input:

• Kernel-level keyloggers install as a driver and read keystrokes from the lowest level of the input stack. They are the hardest to detect because they run with the same privilege as the operating system's own input handling, and the tools you would use to inspect the system can be subverted.
• API-based keyloggers hook the operating system functions that applications call to receive keyboard input, such as the Windows keyboard hooks. They run in user space, which makes them easier to write and more common, and also more visible to endpoint tooling that watches for hooking behavior.
• Form-grabbing keyloggers do not log every key. They intercept data from web form fields at submission, capturing a username and password as a complete set the moment the user clicks submit, which sidesteps on-screen keyboards and some anti-keylogging defenses.
• JavaScript keyloggers are scripts injected into a web page, often through a compromised site or a cross-site scripting flaw, that capture what a visitor types into that page. Magecart-style payment-skimming attacks are this type aimed at checkout pages.

The deeper it sits, the more it sees and the harder it is to find. A kernel driver captures everything and hides well. A JavaScript keylogger sees only one page but needs no foothold on the endpoint at all.

How attackers install and use a keylogger

A software keylogger has to get onto the host, and the delivery routes are the same ones every other piece of commodity malware uses. Phishing is the most common: an attachment or link that runs a loader, which installs it as one component of a larger payload. Drive-by downloads from a compromised or malicious web page do it without an attachment. Trojanized software, a real installer bundled with a hidden keylogger, does it with the user's own click. For hardware keyloggers, the delivery is a person physically plugging in a device.

Once installed, it does two jobs. First it captures. It records keystrokes, and modern ones grab more than keys: clipboard contents, screenshots on a timer, the title of the active window so the operator knows which keystrokes belong to which application, and form data at submission. The window-title detail matters, because it turns a raw stream of characters into structured intelligence: these keystrokes were typed into a banking site, those into an email client.

Then it exfiltrates. The tool stores its log locally and ships it out on a schedule over a command and control channel, the same outbound beaconing pattern other malware uses. The log goes to an attacker server, an email inbox, an FTP drop, or a chat-app webhook, usually disguised as ordinary outbound traffic. A keylogger that cannot phone home is just a local file the attacker still has to retrieve, which is why exfiltration is where many software keyloggers become visible.

Keyloggers rarely travel alone. They are a standard module in remote access trojans and banking trojans, bolted alongside screen capture, credential theft, and a remote shell. The module is the part that catches what others cannot reach: the password a user types that is never stored on disk for a credential dumper to find.

How keylogging maps to MITRE ATT&CK

ATT&CK gives keylogging a precise home, and it sits under two tactics at once, which is the key to understanding what the tool is for.

Keylogging is T1056.001, a sub-technique of T1056 (Input Capture). ATT&CK places Input Capture under two tactics: Collection (TA0009) and Credential Access (TA0006). That dual placement is the whole point. A keylogger is a Collection tool, gathering data of interest from the host, and it is a Credential Access tool, capturing the passwords and keys a user types. ATT&CK lists the concrete methods it uses: hooking the API callbacks that process keystrokes, reading raw keystroke data from the hardware buffer, and installing a keyboard filter driver, which line up exactly with the API-based and kernel-level types above.

The exfiltration that follows belongs to a different tactic. Shipping the keystroke log out maps to Command and Control (TA0011) for the channel and the Exfiltration tactic for the act of sending data. So a full keylogger operation crosses three tactics: it collects under Collection, steals credentials under Credential Access, and phones home under Command and Control. Seeing it that way gives the detection plan directly. Hunt the input-capture behavior on the host, and hunt the phone-home on the network.

Detecting a keylogger

A software keylogger has to do two visible things: hook into the input path, and send what it captures somewhere. Both leave artifacts, even when it is quiet. Hardware keyloggers are a separate problem and need a physical answer.

Anomalous process and hooking behavior. A user-space keylogger has to register a keyboard hook or read input through OS APIs. Endpoint detection tooling can flag a process setting a global keyboard hook, especially one with no business handling input. Look for unknown processes that persist across reboots, run from user-writable or temporary directories, and have no signed publisher. The behavior, not the file name, is the tell.

Anomalous outbound traffic. Exfiltration is where many keyloggers are caught. Hunt for periodic outbound connections to the same external host, uploads to unexpected destinations such as a paste site, an FTP server, or a chat-app webhook, and small regular data transfers from a host that should be idle. Keystroke logs are small and steady, which produces a distinctive low-volume beacon. This is the command and control behavior it shares with the rest of its malware family.

Persistence enumeration. A keylogger that survives reboots has to register somewhere: a Run key, a scheduled task, a service, a startup folder, or, for a kernel keylogger, a driver. Hunt the autostart locations directly and compare against a known-good baseline. The autostart list is finite, which is what makes this reliable.

Driver and integrity checks. A kernel-level keylogger loads as a driver. Audit loaded drivers for unsigned or unexpected entries, and use integrity monitoring to catch new driver registrations and modified system files. Because a kernel keylogger can subvert the tools running beside it, the strongest checks come from outside the running system: offline disk analysis and comparison against known-good hashes.

Physical inspection. No software finds a hardware keylogger. Inspect the back of the machine and the keyboard cable for an unexpected inline device or adapter, and include high-risk and shared endpoints in a physical audit routine. For wireless keyboards, treat the radio path as in scope too.

Keylogger types and their detection signals

The type of keylogger determines where it hides, which determines where you look. This table maps each type to where it lives and its most reliable detection signal.

Preventing and responding to keyloggers

Prevention shrinks the ways a keylogger arrives and limits what one can steal even if it lands. Patch and harden the endpoint so a drive-by download has nothing to exploit. Filter email and block malicious attachments and links, because phishing is the top delivery route. Restrict who can install software and load drivers, which closes the path for both trojanized installers and kernel keyloggers. Control and log outbound traffic so the exfiltration is constrained and visible. For the data itself, multi-factor authentication is the highest-value control: a captured password alone does not complete a login when a second factor is required, which blunts the primary payoff. For hardware keyloggers, the controls are physical: port security, tamper-evident seals on high-risk machines, and a physical inspection routine.

Response to a confirmed keylogger has one rule that drives the rest: assume everything typed since infection is compromised. Establish when it was installed, then rotate every credential that was entered on that host in the window, starting with the most sensitive. Do not stop at removing the binary. A keylogger usually rides with a larger payload, so scope for the rest of it: the loader that delivered it, the persistence it registered, the command and control channel it used, and any other module in the family. Then evict all of it at once, rotate the affected credentials, and rebuild the host where a kernel-level or firmware-level compromise is possible. The same input-capture and exfiltration hunting used to detect one is what scopes the cleanup.

Frequently Asked Questions

What is a keylogger in simple terms?

A keylogger is a tool, either software or a physical device, that secretly records every key a person types on a keyboard. Attackers use it to steal passwords, card numbers, and messages as the victim types them, before the data is encrypted or hidden behind password dots. The recorded keystrokes are then sent back to the attacker.

What is the difference between hardware and software keyloggers?

A hardware keylogger is a physical device plugged between the keyboard and computer or hidden inside it, and it requires physical access to install and retrieve. A software keylogger is a program that intercepts keystrokes from the operating system and can be delivered remotely through phishing or a malicious download. Software keyloggers are far more common in attacks; hardware ones are limited to insider and targeted scenarios.

How do keyloggers get installed?

Software keyloggers usually arrive the same way other malware does: a phishing email with a malicious attachment or link, a drive-by download from a compromised web page, or software bundled with a hidden keylogger that the user installs themselves. They are also a built-in module of many remote access and banking trojans. Hardware keyloggers require someone to physically plug in a device.

How do you detect a keylogger?

Hunt the two things a software keylogger cannot avoid: hooking into the input path and sending captured keystrokes out. Look for unknown processes registering keyboard hooks, unsigned or unexpected drivers, persistence in autostart locations, and small regular outbound transfers to an unusual destination. A hardware keylogger leaves no software trace and is found only by physically inspecting the machine and its cables.

Can a keylogger steal passwords protected by multi-factor authentication?

A keylogger can capture the password, but multi-factor authentication means the password alone is not enough to log in. That is exactly why MFA is the highest-value defense against keyloggers: it breaks the payoff. Be aware that advanced attacks can also capture one-time codes typed on the keyboard or session tokens, so MFA reduces the risk sharply but does not eliminate it.

Are keyloggers always illegal?

No. Keyloggers have legitimate uses such as parental monitoring, monitoring activity on company-owned devices with disclosure, and IT troubleshooting. The mechanism is the same; what makes it an attack is installing one without consent to take data that is not yours. The line is consent and authorization, not the technology itself.

How does keylogging map to MITRE ATT&CK?

Keylogging is technique T1056.001, a sub-technique of T1056 (Input Capture). ATT&CK places it under two tactics at once: Collection (TA0009) and Credential Access (TA0006), because the tool both gathers host data and captures credentials. Exfiltrating the captured log then maps to Command and Control (TA0011) and the Exfiltration tactic.

The bottom line

A keylogger records what a user types and hands it to an attacker, capturing secrets at the one moment they are not protected: as they are typed. The types run from hardware devices that need physical access and leave no software trace, to software keyloggers that hook the input path at the kernel, the API, the web form, or the page script, differing mainly in how deep they sit and how much they see.

In ATT&CK terms keylogging is Input Capture (T1056.001) under both Collection and Credential Access, and the captured log leaves over a Command and Control channel. That framing is also the detection plan: hunt the input-capture behavior on the host, hunt the small steady exfiltration on the network, and inspect the hardware where software cannot look. The response rule is the one that defines the cleanup: assume everything typed since infection is gone, rotate it, and scope for the larger payload it almost always travels with.