← Back to SOC feed Coverage →

PUA - Mouse Lock Execution

sigma MEDIUM SigmaHQ
T1056.002
imProcessCreate
credential-theft
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-17T11:00:00Z · Confidence: medium

Hunt Hypothesis

In Kaspersky’s 2020 Incident Response Analyst Report they listed legitimate tool “Mouse Lock” as being used for both credential access and collection in security incidents.

Detection Rule

Sigma (Original)

title: PUA - Mouse Lock Execution
id: c9192ad9-75e5-43eb-8647-82a0a5b493e3
status: test
description: In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool "Mouse Lock" as being used for both credential access and collection in security incidents.
references:
    - https://github.com/klsecservices/Publications/blob/657deb6a6eb6e00669afd40173f425fb49682eaa/Incident-Response-Analyst-Report-2020.pdf
    - https://sourceforge.net/projects/mouselock/
author: Cian Heasley
date: 2020-08-13
modified: 2023-02-21
tags:
    - attack.credential-access
    - attack.collection
    - attack.t1056.002
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        - Product|contains: 'Mouse Lock'
        - Company|contains: 'Misc314'
        - CommandLine|contains: 'Mouse Lock_'
    condition: selection
falsepositives:
    - Legitimate uses of Mouse Lock software
level: medium

KQL (Azure Sentinel)

imProcessCreate
| where TargetProcessFileProduct contains "Mouse Lock" or TargetProcessFileCompany contains "Misc314" or TargetProcessCommandLine contains "Mouse Lock_"

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_pua_mouselock_execution.yml