osquery-defense-kit/detection/credentials/macos_keyboard_sniffer.sql

44 lines
1.2 KiB
SQL

-- Find programs that are sniffing keyboard events on macOS
--
-- references:
-- * https://attack.mitre.org/techniques/T1056/001/ (Input Capture: Keylogging)
--
-- platform: darwin
-- tags: periodic sniffer
SELECT
et.enabled,
et.process_being_tapped,
et.tapping_process,
p.path,
s.authority,
s.identifier,
h.sha256,
CONCAT (
REPLACE(
p.path,
RTRIM(p.path, REPLACE(p.path, '/', '')),
''
),
',',
identifier,
',',
authority
) AS exception_key
FROM
event_taps et
LEFT JOIN processes p ON et.tapping_process = p.pid
LEFT JOIN signature s ON s.path = p.path
LEFT JOIN hash h ON h.path = p.path
WHERE
event_tapped IN ('EventKeyDown', 'EventKeyUp')
AND authority != 'Software Signing'
AND NOT exception_key IN (
'iTerm2,com.googlecode.iterm2,Developer ID Application: GEORGE NACHMAN (H7V7XYVQ7D)',
'lghub_agent,com.logi.ghub.agent,Developer ID Application: Logitech Inc. (QED4VVPZWA)',
'logioptionsplus_agent,com.logi.cp-dev-mgr,Developer ID Application: Logitech Inc. (QED4VVPZWA)',
'MonitorControl,me.guillaumeb.MonitorControl,Developer ID Application: Joni Van Roost (CYC8C8R4K9)',
'skhd,skhd,'
)
GROUP BY
p.path