Regular expression of Keylogger detector


Keyloggers record everything you type on your computer and transmit the information to a hacker or scammer, which is how they get a hold of your passwords, bank account number or other information you don’t want to share. There are many solutions to this problem, but if you want to find the best antivirus for keyloggers, you should follow our guide and determine which one is the most effective yourself.

  • QRadar AQL
SELECT UTF8(payload) as search_payload, "Image", "File Hash" from events where LOGSOURCETYPENAME(devicetype)='Microsoft Windows Security Event Log' and "EventID"='1' and ("File Hash" = '21921864D2F1AB2761C36031A2E1D2C00C9B304A' or "File Hash" = '3C2D0615BEF6F88FED6E308D4F45B6133080C74F' or "File Hash" = '91E8346910E0E6783ACFC4F2B9A745C81BD7573A')
  • Splunk
(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1" (file_hash="21921864D2F1AB2761C36031A2E1D2C00C9B304A" OR file_hash="3C2D0615BEF6F88FED6E308D4F45B6133080C74F" OR file_hash="91E8346910E0E6783ACFC4F2B9A745C81BD7573A")) | table Image,TargetObject,Hashes
  • Elastic Query
(winlog.channel:"Microsoft-Windows-Sysmon\/Operational" AND winlog.event_id:"1" AND winlog.event_data.Hashes:("21921864D2F1AB2761C36031A2E1D2C00C9B304A" OR "3C2D0615BEF6F88FED6E308D4F45B6133080C74F" OR "91E8346910E0E6783ACFC4F2B9A745C81BD7573A"))
  • EDR Carbon Black
(childproc_count:[1 to *] AND (file_hash:21921864D2F1AB2761C36031A2E1D2C00C9B304A OR file_hash:3C2D0615BEF6F88FED6E308D4F45B6133080C74F OR file_hash:91E8346910E0E6783ACFC4F2B9A745C81BD7573A))
  • Windows PowerShell
Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and ($_.message -match "21921864D2F1AB2761C36031A2E1D2C00C9B304A" -or $_.message -match "3C2D0615BEF6F88FED6E308D4F45B6133080C74F" -or $_.message -match "91E8346910E0E6783ACFC4F2B9A745C81BD7573A")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message

Leave a Reply

Your email address will not be published.