Try in Splunk Security Cloud


SnakeKeylogger is a stealthy malware designed to secretly record keystrokes on infected devices. It operates covertly in the background, capturing sensitive information such as passwords and credit card details. This keylogging threat poses a significant risk to user privacy and security.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2024-02-12
  • Author: Teoderick Contreras, Splunk
  • ID: 0374f962-c66a-4a67-9a30-24b0708ef802


SnakeKeylogger, a notorious malware, first emerged in the early 2010s, gaining infamy for its clandestine ability to capture keystrokes on compromised systems. As a stealthy threat, it infiltrates computers silently, recording every keystroke entered by users, including sensitive information like passwords and financial details. Over time, it has evolved to evade detection mechanisms, posing a persistent threat to cybersecurity. Its widespread use in various cybercrime activities underscores its significance as a tool for espionage and data theft. Despite efforts to combat it, SnakeKeylogger continues to lurk in the shadows, perpetuating its malicious activities with devastating consequences.


Name Technique Type
Detect Regasm Spawning a Process System Binary Proxy Execution, Regsvcs/Regasm TTP
Download Files Using Telegram Ingress Tool Transfer TTP
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
High Process Termination Frequency Data Encrypted for Impact Anomaly
Non Chrome Process Accessing Chrome Default Dir Credentials from Password Stores, Credentials from Web Browsers Anomaly
Non Firefox Process Access Firefox Profile Dir Credentials from Password Stores, Credentials from Web Browsers Anomaly
Processes launching netsh Disable or Modify System Firewall, Impair Defenses Anomaly
Registry Keys Used For Persistence Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution TTP
Suspicious Driver Loaded Path Windows Service, Create or Modify System Process TTP
Suspicious Process DNS Query Known Abuse Web Services Visual Basic, Command and Scripting Interpreter TTP
Suspicious Process Executed From Container File Malicious File, Masquerade File Type TTP
Windows Credential Access From Browser Password Store Query Registry Anomaly
Windows Credentials from Password Stores Chrome LocalState Access Query Registry Anomaly
Windows Credentials from Password Stores Chrome Login Data Access Query Registry Anomaly
Windows File Transfer Protocol In Non-Common Process Path Mail Protocols, Application Layer Protocol Anomaly
Windows Gather Victim Network Info Through Ip Check Web Services IP Addresses, Gather Victim Network Information Hunting
Windows Non Discord App Access Discord LevelDB Query Registry Anomaly
Windows Phishing PDF File Executes URL Link Spearphishing Attachment, Phishing Anomaly
Windows System Network Connections Discovery Netsh System Network Connections Discovery Anomaly
Windows Time Based Evasion via Choice Exec Time Based Evasion, Virtualization/Sandbox Evasion Anomaly
Windows Unsecured Outlook Credentials Access In Registry Unsecured Credentials Anomaly
Windows User Execution Malicious URL Shortcut File Malicious File, User Execution TTP


source | version: 1