Severity 7 Alerts seen indicating "called WinAPI SetWindowsHookEx. Adversaries may use this API to perform keylogging."

search cancel

Severity 7 Alerts seen indicating "called WinAPI SetWindowsHookEx. Adversaries may use this API to perform keylogging."

book

Article ID: 403731

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

High Severity (7+) alerts occurring in the console against known-good software after June, 2025. Alerts look like:

Environment

Carbon Black Cloud Endpoint Standard: Current Version
Carbon Black Cloud Enterprise EDR: Current Version
Carbon Black Cloud Windows Sensor: All Supported Versions
Microsoft Windows OS: All Supported Versions

Cause

Carbon Black Cloud rules were updated in 25v3 to include detections for API calls that can be used as a keylogger. This was made available in June 2025 timeframe.

Resolution

Review behavior of software, and confirm with vendor/source that this is expected behavior. In case of known good software executed expected behavior, you may approve the hash, which will prevent future alerts on the same binary, or dismiss the alert and manage future alerts or implement a Crossprocs Event Reporting Exclusion for the binary.

Feedback

thumb_up Yes

thumb_down No