RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2025-01-08 22:39:28 +00:00
Code Issues Packages Projects Releases Wiki Activity
710ca28ed9
osquery-defense-kit/detection/credentials/macos_keyboard_sniffer.sql

48 lines
1.6 KiB
SQL
Raw Blame History

-- Find programs that are sniffing keyboard events on macOS
--
-- references:
-- * https://attack.mitre.org/techniques/T1056/001/ (Input Capture: Keylogging)
--
-- platform: darwin
-- tags: persistent state sniffer
SELECT
et.enabled,
et.process_being_tapped,
et.tapping_process,
p.path,
s.authority,
s.identifier,
h.sha256,
CONCAT (
REPLACE(
p.path,
RTRIM(p.path, REPLACE(p.path, '/', '')),
''
),
',',
identifier,
',',
authority
) AS exception_key
FROM
event_taps et
LEFT JOIN processes p ON et.tapping_process = p.pid
LEFT JOIN signature s ON s.path = p.path
LEFT JOIN hash h ON h.path = p.path
WHERE
event_tapped IN ('EventKeyDown', 'EventKeyUp')
AND authority != 'Software Signing'
-- Popular programs that sniff keyboard events, but do not appear to be malware.
AND NOT exception_key IN (
'BetterTouchTool,com.hegenberg.BetterTouchTool,Developer ID Application: folivora.AI GmbH (DAFVSXZ82P)',
'Contexts,com.contextsformac.Contexts,Developer ID Application: Usman Khalid (RZ7E748ZSC)',
'Hyperkey,com.knollsoft.Hyperkey,Developer ID Application: Ryan Hanson (XSYZ3E4B7D)',
'iTerm2,com.googlecode.iterm2,Developer ID Application: GEORGE NACHMAN (H7V7XYVQ7D)',
'lghub_agent,com.logi.ghub.agent,Developer ID Application: Logitech Inc. (QED4VVPZWA)',
'logioptionsplus_agent,com.logi.cp-dev-mgr,Developer ID Application: Logitech Inc. (QED4VVPZWA)',
'MonitorControl,me.guillaumeb.MonitorControl,Developer ID Application: Joni Van Roost (CYC8C8R4K9)',
'skhd,skhd,'
)
GROUP BY
p.path
Reference in New Issue View Git Blame Copy Permalink