A SOC team should proactively hunt for this rule as it detects potential keylogging activity on macOS systems, which could indicate unauthorized data exfiltration. The low severity and lack of MITRE techniques suggest the adversary may be using stealthy, custom methods to persist and capture keystrokes, warranting further investigation to identify and mitigate potential breaches.
YARA Rule
rule hacktool_macos_keylogger_skreweverything_swift
{
meta:
description = "It is a simple and easy to use keylogger for macOS written in Swift."
reference = "https://github.com/SkrewEverything/Swift-Keylogger"
author = "@mimeframe"
id = "eed3b9bb-e8e4-53b6-8d17-8aa989d8a2fc"
strings:
$a1 = "Can't create directories!" wide ascii
$a2 = "Can't create manager" wide ascii
$a3 = "Can't open HID!" wide ascii
$a4 = "PRINTSCREEN" wide ascii
$a5 = "LEFTARROW" wide ascii
condition:
4 of ($a*)
}This YARA rule can be deployed in the following contexts:
This rule contains 5 string patterns in its detection logic.
Scenario: macOS System Integrity Protection (SIP) Bypass Tool
Description: A legitimate tool used by administrators to bypass SIP for system maintenance or debugging.
Filter/Exclusion: Check for known SIP bypass tools like sudo with specific command-line arguments or presence of /usr/bin/launchd in the process tree.
Scenario: Scheduled Maintenance Job
Description: A legitimate scheduled job (e.g., via launchd or cron) that performs system cleanup or log rotation.
Filter/Exclusion: Filter by process name (e.g., logrotate, systemd-journald, or launchd) and check for known maintenance scripts in /Library/LaunchDaemons/ or /etc/cron.d/.
Scenario: macOS Keychain Access Tool
Description: A legitimate tool used to manage keychain entries, which may involve key logging for password retrieval in enterprise environments.
Filter/Exclusion: Check for presence of /System/Library/CoreServices/Keychain Access.app or use process name filtering to exclude standard keychain operations.
Scenario: Admin Task for User Account Management
Description: An admin task involving user account creation or modification that may temporarily log keystrokes for password entry.
Filter/Exclusion: Filter by user account management tools like dscl, Directory Utility, or User Manager and check for elevated privileges via sudo.
Scenario: Third-Party Monitoring Tool with Key Logging Feature
Description: A legitimate third-party monitoring or security tool that includes key logging functionality for audit or compliance purposes.
Filter/Exclusion: Check for known enterprise tools (e.g., Splunk, SolarWinds, LogRhythm) and verify if the tool is configured with proper logging policies and access controls.