Techniques
Sample rules
Processes Tapping Keyboard Events
- source: splunk
- technicques:
Description
This search looks for processes in an MacOS system that is tapping keyboard events in MacOS, and essentially monitoring all keystrokes made by a user. This is a common technique used by RATs to log keystrokes from a victim, although it can also be used by legitimate processes like Siri to react on human input
Detection logic
| from datamodel Alerts.Alerts
| search app=osquery:results name=pack_osx-attacks_Keyboard_Event_Taps
| rename columns.cmdline as cmd, columns.name as process_name, columns.pid as process_id
| dedup host,process_name
| table host,process_name, cmd, process_id
| `processes_tapping_keyboard_events_filter`