splApache-2.0from splunk/security_content
Processes Tapping Keyboard Events
The following analytic detects processes on macOS systems that are tapping keyboard events, potentially monitoring all keystrokes made by a user. It leverages data from osquery results within the Alerts data model, focusing on specific process names and command lines. This activity is significant as it is a common technique used by Remote Access Trojans (RATs) to log keystrokes, posing a serious security risk. If confirmed malicious, this could lead to unauthorized access to sensitive information, including passwords and personal data, compromising the integrity and confidentiality of the system.
Quality
67
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/processes_tapping_keyboard_events.yml
| from datamodel Alerts.Alerts
| search app=osquery:results name=pack_osx-attacks_Keyboard_Event_Taps
| rename columns.cmdline as cmd, columns.name as process_name, columns.pid as process_id
| dedup host,process_name
| table host,process_name, cmd, process_id
| `processes_tapping_keyboard_events_filter`