03d283cf49
This commit renames the Apollo payload type to Ares, moving all associated files and updating documentation accordingly. The change includes: - Renaming directories from `apollo` to `ares` - Updating documentation image references - Maintaining the same code functionality while changing the payload name - Adding new Ares-specific documentation files - Removing old Apollo documentation files The rename is done to reflect the new payload name while preserving all existing functionality.
1.1 KiB
+++ title = "keylog" chapter = false weight = 103 hidden = false +++
{{% notice info %}} Artifacts Generated: Process Inject {{% /notice %}}
Summary
Start a keylogger in a specified process.
Arguments (Positional)
PID
The target process's ID to inject the keylogging stub.
Usage
keylog_inject -PID [pid]
Example
keylog -PID 1234
MITRE ATT&CK Mapping
- T1056
Artifacts
- Process Inject
Detailed Summary
The keylog command uses the GetAsyncKeyState Windows API to log keystrokes and send them back to Mythic. This is done with a stand alone .NET assembly that is loaded with the CLR loader stub used for execute_assembly. The CLR loader is injected into the specified process and executes the keylogger assembly, which in turn will begin logging keystrokes and sending them over a named pipe to the agent.
Keystrokes can be found in the Operational Views > Kelogs page. These keystrokes are sorted by host, then user, then window title. When new keystrokes are retrieved, a balloon notification will appear in the top right notifying you of the new keystrokes.
