Software keylogging remains a persistent method for credential theft on Windows systems, enabling attackers to quietly collect sensitive input before escalating access. Effective defense starts with understanding how keyboard input travels through user-mode interfaces and where attackers intercept it, from polling and hooks to Raw Input and DirectInput paths. Behavioral detection can surface these patterns early enough to prevent follow-on compromise, but visibility gaps still exist in common telemetry used by EDR tools. Hotkey-based keylogging techniques, including methods disclosed in 2024, further strain traditional monitoring by avoiding expected traces.

In this session, led by Asuka Nakajima, senior security research engineer at Elastic, you will learn:

• Behavioral patterns behind polling, hook-based and input model keylogging;
• Using Windows-native telemetry to identify suspicious keyboard access;
• Detection challenges introduced by hotkey-based techniques.