A simple and easy to use keylogger for macOS.

Hunt Hypothesis

A simple and easy to use keylogger for macOS detects potential adversary behavior where an attacker may be capturing user input to exfiltrate sensitive information. SOC teams should proactively hunt for this behavior in their Azure Sentinel environment to identify early signs of credential theft or data exfiltration attempts.

YARA Rule

rule hacktool_macos_keylogger_caseyscarborough
{
    meta:
        description = "A simple and easy to use keylogger for macOS."
        reference = "https://github.com/caseyscarborough/keylogger"
        author = "@mimeframe"
        id = "191efd22-3f9e-57da-992f-3cc2ab6ecdfa"
    strings:
        $a1 = "/var/log/keystroke.log" wide ascii
        $a2 = "ERROR: Unable to create event tap." wide ascii
        $a3 = "Keylogging has begun." wide ascii
        $a4 = "ERROR: Unable to open log file. Ensure that you have the proper permissions." wide ascii
    condition:
        2 of ($a*)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

References

• https://github.com/caseyscarborough/keylogger
• Source Rule

False Positive Guidance

• Scenario: User is installing a legitimate macOS application with a built-in keyboard shortcut feature
  Example: A developer installs Alfred or BetterTouchTool which includes custom keyboard shortcuts.
  Filter/Exclusion: Exclude processes associated with known legitimate tools like Alfred or BetterTouchTool using their full binary paths or process names.

• Scenario: System administrator is configuring a scheduled job for log monitoring
  Example: An admin uses launchd to run a script that logs user activity for auditing purposes.
  Filter/Exclusion: Exclude processes launched via launchd with specific job identifiers or exclude scripts that match known admin tools like log or syslog.

• Scenario: User is using a third-party password manager with clipboard monitoring
  Example: A user runs 1Password or Bitwarden which monitors clipboard activity for password entry.
  Filter/Exclusion: Exclude processes related to password managers like 1Password or Bitwarden using their process names or binary paths.

• Scenario: IT team is performing a system audit using a legitimate monitoring tool
  Example: The team uses OSX Activity Monitor or Console.app to review system logs and user activity.
  Filter/Exclusion: Exclude processes related to system monitoring tools like ActivityMonitor or Console using their full process names.

• Scenario: User is running a script to automate form filling or data entry
  Example: A user uses AutoHotkey (via Wine) or Keyboard Maestro to automate repetitive tasks.
  Filter/Exclusion: Exclude processes associated with automation tools like AutoHotkey or Keyboard Maestro using their process names or binary paths.