LogKext is an open source keylogger for Mac OS X, a product of FSB software.

Hunt Hypothesis

LogKext is a low-severity open-source keylogger used by adversaries to capture keystrokes on Mac OS X systems, indicating potential data exfiltration. SOC teams should proactively hunt for LogKext in Azure Sentinel to identify and mitigate early-stage espionage activities by FSB-linked actors.

YARA Rule

rule hacktool_macos_keylogger_logkext
{
    meta:
        description = "LogKext is an open source keylogger for Mac OS X, a product of FSB software."
        reference = "https://github.com/SlEePlEs5/logKext"
        author = "@mimeframe"
        id = "849cbd43-288b-55de-b031-09322e49784c"
    strings:
        // daemon
        $a1 = "logKextPassKey" wide ascii
        $a2 = "Couldn't get system keychain:" wide ascii
        $a3 = "Error finding secret in keychain" wide ascii
        $a4 = "com_fsb_iokit_logKext" wide ascii
        // client
        $b1 = "logKext Password:" wide ascii
        $b2 = "Logging controls whether the daemon is logging keystrokes (default is on)." wide ascii
        // logkextkeygen
        $c1 = "logKextPassKey" wide ascii
        $c2 = "Error: couldn't create secAccess" wide ascii
        // logkext
        $d1 = "IOHIKeyboard" wide ascii
        $d2 = "Clear keyboards called with kextkeys" wide ascii
        $d3 = "Added notification for keyboard" wide ascii
    condition:
        3 of ($a*) or all of ($b*) or all of ($c*) or all of ($d*)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 11 string patterns in its detection logic.

References

• https://github.com/SlEePlEs5/logKext
• Source Rule

False Positive Guidance

• Scenario: System Integrity Protection (SIP) Bypass Tools
  Description: Tools like sudo or csrutil commands used by administrators to disable SIP for system updates or configuration changes may trigger the rule due to similar process names or behaviors.
  Filter/Exclusion: Exclude processes initiated by root or with sudo in the command line, or filter by user ID (e.g., user.id == 0).

• Scenario: Scheduled Maintenance Tasks
  Description: Legitimate scheduled jobs such as launchd tasks or cron jobs that perform system cleanup or log rotation might be flagged due to similar process names or file system activity.
  Filter/Exclusion: Exclude processes associated with known maintenance tasks (e.g., com.apple.periodic or logrotate) or filter by command line arguments containing log or rotate.

• Scenario: Third-Party Key Management Tools
  Description: Enterprise key management tools like Keychain Access or OpenSSL might be mistaken for LogKext due to similar names or file system access patterns.
  Filter/Exclusion: Exclude processes related to Keychain or openssl by checking the full path or command line arguments.

• Scenario: Malware Analysis Environment
  Description: In a sandboxed or analysis environment, tools like Docker, VirtualBox, or QEMU may generate similar network or file system activity as LogKext.
  Filter/Exclusion: Exclude processes running in virtualized environments by checking for virtualization indicators (e.g., vmware, qemu, or docker) in the process name or parent process.

• Scenario: Admin Debugging or Profiling Tools
  Description: Tools like dtrace, log commands, or syslog utilities used for debugging or monitoring