ofxKeylogger keylogger.

Hunt Hypothesis

The ofxKeylogger keylogger detects potential adversary behavior involving the exfiltration of keystrokes to exfiltrate sensitive information. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage keylogging activities that could lead to credential theft or data compromise.

YARA Rule

rule hacktool_macos_keylogger_roxlu_ofxkeylogger
{
    meta:
        description = "ofxKeylogger keylogger."
        reference = "https://github.com/roxlu/ofxKeylogger"
        author = "@mimeframe"
        id = "622d7da4-25da-56a4-9e60-a225c2eaf0a1"
    strings:
        $a1 = "keylogger_init" wide ascii
        $a2 = "install_keylogger_hook function not found in dll." wide ascii
        $a3 = "keylogger_set_callback" wide ascii
    condition:
        all of ($a*)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• https://github.com/roxlu/ofxKeylogger
• Source Rule

False Positive Guidance

• Scenario: System update or patch deployment using Microsoft Update or WSUS
  Filter/Exclusion: Check for process.name containing wuauclt.exe or wuauserv.exe
  Rationale: These processes are commonly used for Windows updates and may trigger keylogger detection rules due to their elevated privileges.

• Scenario: PowerShell script execution for system maintenance or configuration management
  Filter/Exclusion: Filter by process.name containing powershell.exe and check for known legitimate scripts or modules (e.g., PSConfig, PSDsc)
  Rationale: PowerShell is often used for automation and may be flagged due to its ability to execute arbitrary commands.

• Scenario: Scheduled Task running a legitimate system cleanup or log rotation job
  Filter/Exclusion: Check for task.name or task.description containing keywords like “Cleanup”, “Logrotate”, or “Maintenance”
  Rationale: Scheduled tasks are common in enterprise environments and may be misidentified as malicious activity.

• Scenario: Remote Desktop Services (RDS) session activity or Terminal Services session management
  Filter/Exclusion: Filter by process.name containing mstsc.exe or tsclient.exe and check for user authentication context
  Rationale: RDP sessions can generate keylogging-like behavior during user interaction, leading to false positives.

• Scenario: Log management tool such as Splunk, ELK Stack, or Graylog collecting keystrokes for audit purposes
  Filter/Exclusion: Check for process.name containing splunkd.exe, logstash, or graylog-server and verify if the process is associated with log collection
  Rationale: These tools may capture keystrokes during log aggregation, which can trigger key