A simple keylogger for macOS.

Hunt Hypothesis

A simple keylogger for macOS captures user input through a malicious script, indicating potential data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage espionage or credential theft activities.

YARA Rule

rule hacktool_macos_keylogger_giacomolaw
{
    meta:
        description = "A simple keylogger for macOS."
        reference = "https://github.com/GiacomoLaw/Keylogger"
        author = "@mimeframe"
        id = "4a9e4fe6-5f28-5f42-9726-ced687055038"
    strings:
        $a1 = "ERROR: Unable to access keystroke log file. Please make sure you have the correct permissions." wide ascii
        $a2 = "ERROR: Unable to create event tap." wide ascii
        $a3 = "Keystrokes are now being recorded" wide ascii
    condition:
        2 of ($a*)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• https://github.com/GiacomoLaw/Keylogger
• Source Rule

False Positive Guidance

• Scenario: System Integrity Protection (SIP) bypass tool usage
  Description: An admin may use tools like sudo chmod -R 777 /System/Library/ to temporarily bypass SIP for maintenance tasks.
  Filter/Exclusion: Exclude processes where the command includes chmod and the path is /System/Library/ with sudo.

• Scenario: Scheduled backup job with sensitive file access
  Description: A legitimate backup job (e.g., using rsync or backupninja) may access user directories during scheduled execution.
  Filter/Exclusion: Exclude processes where the command includes rsync or backupninja and the destination path is a known backup location.

• Scenario: macOS Terminal session with user input redirection
  Description: A user may run a script that redirects terminal input (e.g., script -f /tmp/logfile) for logging purposes.
  Filter/Exclusion: Exclude processes where the command includes script and the output file is located in /tmp/ or /var/tmp/.

• Scenario: Admin task involving file system monitoring
  Description: An admin might use fs_usage or lsof to monitor file system activity during troubleshooting.
  Filter/Exclusion: Exclude processes where the command includes fs_usage or lsof and the process is initiated by an admin user with elevated privileges.

• Scenario: macOS App Store app installation with temporary file access
  Description: During installation of a macOS app from the App Store, temporary files may be written to /private/var/folders/ for caching.
  Filter/Exclusion: Exclude processes where the command includes Installer or App Store and the path is within /private/var/folders/.