Techniques
Sample rules
Processes Tapping Keyboard Events
- source: splunk
- technicques:
Description
The following analytic detects processes on macOS systems that are tapping keyboard events, potentially monitoring all keystrokes made by a user. It leverages data from osquery results within the Alerts data model, focusing on specific process names and command lines. This activity is significant as it is a common technique used by Remote Access Trojans (RATs) to log keystrokes, posing a serious security risk. If confirmed malicious, this could lead to unauthorized access to sensitive information, including passwords and personal data, compromising the integrity and confidentiality of the system.
Detection logic
| from datamodel Alerts.Alerts
| search app=osquery:results name=pack_osx-attacks_Keyboard_Event_Taps
| rename columns.cmdline as cmd, columns.name as process_name, columns.pid as process_id
| dedup host,process_name
| table host,process_name, cmd, process_id
| `processes_tapping_keyboard_events_filter`