there might be some false positives as keyboard event taps are used by processes like siri and zoom video chat, for some good examples of processes to exclude please see [this](https://github.com/facebook/osquery/pull/5345#issuecomment-454639161) comment.

endpoint
splunk

Techniques

Sample rules

Processes Tapping Keyboard Events

source: splunk
technicques:

Description

This search looks for processes in an MacOS system that is tapping keyboard events in MacOS, and essentially monitoring all keystrokes made by a user. This is a common technique used by RATs to log keystrokes from a victim, although it can also be used by legitimate processes like Siri to react on human input

Detection logic


| from datamodel Alerts.Alerts 
| search app=osquery:results name=pack_osx-attacks_Keyboard_Event_Taps 
| rename columns.cmdline as cmd, columns.name as process_name, columns.pid as process_id
| dedup host,process_name 
| table host,process_name, cmd, process_id 
| `processes_tapping_keyboard_events_filter`