Playbook Series: Keyloggers: Prevent the loss of sensitive information

Keyloggers are one of the most common types of malware that bad actors use to harvest and steal sensitive information. Although the data they target varies from passwords to credit cards to intellectual property, identifying and stopping keyloggers before they are able to exfiltrate sensitive information is a top-of-mind imperative of security teams worldwide.

To assist teams in achieving this goal, we present today’s entry to our playbook series—the Keylogger Response playbook. This playbook outlines how you can automate the investigation and containment of keylogger-infected endpoints. The playbook is designed to quickly investigate a suspected keylogger infection and contain it, if confirmed, until you can further investigate—reducing the chances that sensitive information will be lost.

Note: The Phantom team is in the process of publishing the playbook to our community repository and expects it to appear on the Phantom platform in the coming days.


keylogger-response-playbookA visual representation of the Keylogger Response playbook as viewed using the Phantom 2.0 platform.



The Keylogger Response playbook begins execution when Phantom receives an alert from a SIEM platform, like Splunk, ArcSight, or IBM QRadar.

The playbook then attempts to locate the affected VM, extract a file sample, and detonate the sample in a file analysis sandbox, like Cisco AMP Threat Grid.

If the file analysis results indicate that keylogging activity was detected, then the playbook executes the defined User Management Course of Action (CoA):

  • Logoff user
  • disable user
  • reset password

These actions limit the malware from propagating laterally within the network using the user’s credentials.

Finally, the playbook executes some standard response actions when malware is confirmed, whether it is of type keylogger trojan or not:

  • block hash
  • terminate process
  • send email

Automating this workflow provides multiple benefits:

  • Prevents data loss by executing your investigation and containment workflow the moment a keylogger infection is suspected.
  • Increases the efficiency and productivity of your SecOps team by automating steps that are often repeated.
  • Ensures consistency by following your process the same way, every time.

Interested in seeing how Phantom playbooks can help your organization?  Get the free Phantom Community Edition.

Chris Simmons
Posted by

Chris Simmons

Chris Simmons is a Senior Product Marketing Manager with Splunk. Chris currently focuses on the Splunk Phantom platform and the Security Orchestration, Automation and Response segment of the security market. Previously, he led Product Marketing at Phantom and has held various product roles at IBM, Cisco, Sourcefire, and Fortinet.


Playbook Series: Keyloggers: Prevent the loss of sensitive information

Show All Tags
Show Less Tags

Join the Discussion