A user-level Swift-based command line keylogger may be used to stealthily capture sensitive input, indicating potential persistence or data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate low-severity, yet potentially persistent adversaries leveraging custom tools.
YARA Rule
rule hacktool_macos_keylogger_b4rsby_swiftlog
{
meta:
description = "Dirty user level command line keylogger hacked together in Swift."
reference = "https://github.com/b4rsby/SwiftLog"
author = "@mimeframe"
id = "7f42e787-a723-5e20-99a3-54e1ffa6ccda"
strings:
$a1 = "You need to enable the keylogger in the System Prefrences" wide ascii
condition:
all of ($a*)
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: Developer using Swift to build a legitimate CLI tool for password management
Filter/Exclusion: process.name contains "PasswordManagerCLI" or process.args contains "--safe-mode"
Scenario: System administrator running a scheduled job to automate log rotation using Swift
Filter/Exclusion: process.name contains "logrotate-swift" or process.args contains "--rotate-only"
Scenario: DevOps engineer deploying a Swift-based CLI for infrastructure provisioning
Filter/Exclusion: process.name contains "infra-deploy-cli" or process.args contains "--dry-run"
Scenario: Security team using a custom Swift tool for incident response and forensic analysis
Filter/Exclusion: process.name contains "incident-response-tool" or process.args contains "--analysis-mode"
Scenario: IT support staff using a Swift CLI to manage user accounts and permissions
Filter/Exclusion: process.name contains "user-management-cli" or process.args contains "--audit-only"