A simple keylogger for macOS.

Hunt Hypothesis

A simple keylogger for macOS likely captures user input through a malicious script or tool, indicating potential data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage espionage or credential theft attempts.

YARA Rule

rule hacktool_macos_keylogger_eldeveloper_keystats
{
    meta:
        description = "A simple keylogger for macOS."
        reference = "https://github.com/ElDeveloper/keystats"
        author = "@mimeframe"
        id = "468bf492-2fab-5658-9744-8967a52457e3"
    strings:
        $a1 = "YVBKeyLoggerPerishedNotification" wide ascii
        $a2 = "YVBKeyLoggerPerishedByLackOfResponseNotification" wide ascii
        $a3 = "YVBKeyLoggerPerishedByUserChangeNotification" wide ascii
    condition:
        2 of ($a*)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• https://github.com/ElDeveloper/keystats
• Source Rule

False Positive Guidance

• Scenario: User is running a legitimate system diagnostic tool
  Description: A user is using a tool like Activity Monitor or Console to check system logs or performance.
  Filter/Exclusion: Exclude processes with process.name in Activity Monitor, Console, or log commands.

• Scenario: Admin is performing a scheduled system cleanup
  Description: An administrator is running a scheduled job using launchd or cron to clean temporary files or logs.
  Filter/Exclusion: Exclude processes with process.name containing launchd or cron, and check for command_line containing cleanup, tmp, or logrotate.

• Scenario: User is using a legitimate macOS screen recording tool
  Description: A user is using QuickTime Player or OBS to record their screen for a presentation or tutorial.
  Filter/Exclusion: Exclude processes with process.name in QuickTime Player, OBS, or screen_recording.

• Scenario: System is logging keyboard input for accessibility purposes
  Description: A user is using an accessibility tool like VoiceOver or a third-party screen reader that requires keyboard input monitoring.
  Filter/Exclusion: Exclude processes with process.name in VoiceOver, Accessibility, or screen_reader.

• Scenario: User is testing a keylogger detection tool
  Description: A security team is testing a detection rule by intentionally running a benign keylogger simulation.
  Filter/Exclusion: Exclude processes with process.name containing test, simulate, or detection_tool.