A simple keylogger for macOS.

Hunt Hypothesis

A simple keylogger for macOS likely captures user input through a malicious script or application, indicating potential data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage espionage or credential theft activities.

YARA Rule

rule hacktool_macos_keylogger_dannvix
{
    meta:
        description = "A simple keylogger for macOS."
        reference = "https://github.com/dannvix/keylogger-osx"
        author = "@mimeframe"
        id = "175e0f9f-fd57-5306-807f-911031d7537d"
    strings:
        $a1 = "/var/log/keystroke.log" wide ascii
        $a2 = "<forward-delete>" wide ascii
        $a3 = "<unknown>" wide ascii
    condition:
        all of ($a*)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• https://github.com/dannvix/keylogger-osx
• Source Rule

False Positive Guidance

• Scenario: User is running a legitimate system diagnostic tool
  Description: A user is using Activity Monitor or Console to check system logs, which may include keyboard input.
  Filter/Exclusion: Exclude processes with process.name containing Activity Monitor, Console, or log in the command line.

• Scenario: System administrator is performing a scheduled maintenance task
  Description: An admin is running a scheduled script via launchd that logs system events, which may resemble keylogging behavior.
  Filter/Exclusion: Exclude processes with process.name containing launchd and label matching com.example.maintenance.

• Scenario: User is using a legitimate password manager with clipboard monitoring
  Description: A user is using 1Password or Bitwarden which may capture clipboard content or keyboard input for password entry.
  Filter/Exclusion: Exclude processes with process.name containing 1Password, Bitwarden, or keepass.

• Scenario: Developer is testing a macOS application with keyboard input simulation
  Description: A developer is using AppleScript or Automator to simulate keyboard input for testing purposes.
  Filter/Exclusion: Exclude processes with process.name containing AppleScript, Automator, or test.

• Scenario: System is running a legitimate security tool with logging capabilities
  Description: A security tool like OSXKeylogger (legitimate for forensic analysis) or tcpdump is capturing network or system logs.
  Filter/Exclusion: Exclude processes with process.name containing OSXKeylogger, tcpdump, or wireshark.