title: Mouse Lock Credential Gathering id: c9192ad9-75e5-43eb-8647-82a0a5b493e3 status: experimental description: In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool "Mouse Lock" as being used for both credential access and collection in security incidents. author: Cian Heasley reference: - https://github.com/klsecservices/Publications/blob/master/Incident-Response-Analyst-Report-2020.pdf - https://sourceforge.net/projects/mouselock/ date: 2020/08/13 tags: - attack.credential_access - attack.collection - attack.t1056.002 logsource: category: process_creation detection: selection: - Product|contains: 'Mouse Lock' - Company|contains: 'Misc314' - CommandLine|contains: 'Mouse Lock_' condition: selection fields: - Product - Company - CommandLine falsepositives: - Legitimate uses of Mouse Lock software level: medium