osquery-defense-kit/fd/macos_keyboard_sniffer.sql

SELECT et.enabled, et.process_being_tapped, et.tapping_process,
    p.path,
    s.authority,
    s.identifier,
    h.sha256,
    CONCAT(
        REPLACE(
            p.path,
            RTRIM(p.path, REPLACE(p.path, '/', '')),
            ''
        ),
        ",",
        identifier,
        ",",
        authority
    ) AS exception_key
FROM event_taps et
    LEFT JOIN processes p ON et.tapping_process = p.pid
    LEFT JOIN signature s ON s.path = p.path
    LEFT JOIN hash h ON h.path = p.path
WHERE event_tapped IN ('EventKeyDown', 'EventKeyUp')
    AND authority != "Software Signing"
    AND NOT exception_key IN (
        'iTerm2,com.googlecode.iterm2,Developer ID Application: GEORGE NACHMAN (H7V7XYVQ7D)',
        'lghub_agent,com.logi.ghub.agent,Developer ID Application: Logitech Inc. (QED4VVPZWA)',
        'logioptionsplus_agent,com.logi.cp-dev-mgr,Developer ID Application: Logitech Inc. (QED4VVPZWA)',
        "MonitorControl,me.guillaumeb.MonitorControl,Developer ID Application: Joni Van Roost (CYC8C8R4K9)",
        'skhd,skhd,'
    )
GROUP BY p.path