EXPLORE
Sign In
← Back to Explore
splunk_escuTTP

Processes Tapping Keyboard Events

The following analytic detects processes on macOS systems that are tapping keyboard events, potentially monitoring all keystrokes made by a user. It leverages data from osquery results within the Alerts data model, focusing on specific process names and command lines. This activity is significant as it is a common technique used by Remote Access Trojans (RATs) to log keystrokes, posing a serious security risk. If confirmed malicious, this could lead to unauthorized access to sensitive information, including passwords and personal data, compromising the integrity and confidentiality of the system.

Detection Query

| from datamodel Alerts.Alerts
| search app=osquery:results name=pack_osx-attacks_Keyboard_Event_Taps
| rename columns.cmdline as cmd, columns.name as process_name, columns.pid as process_id
| dedup host,process_name
| table host,process_name, cmd, process_id
| `processes_tapping_keyboard_events_filter`

Author

Jose Hernandez, Splunk

Created

2026-04-13

Data Sources

Osquery Results

Tags

ColdRoot MacOS RATAPT37 Rustonotto and FadeStealer
Raw Content
name: Processes Tapping Keyboard Events
id: 2a371608-331d-4034-ae2c-21dda8f1d0ec
version: 11
date: '2026-04-13'
author: Jose Hernandez, Splunk
status: experimental
type: TTP
description: The following analytic detects processes on macOS systems that are tapping keyboard events, potentially monitoring all keystrokes made by a user. It leverages data from osquery results within the Alerts data model, focusing on specific process names and command lines. This activity is significant as it is a common technique used by Remote Access Trojans (RATs) to log keystrokes, posing a serious security risk. If confirmed malicious, this could lead to unauthorized access to sensitive information, including passwords and personal data, compromising the integrity and confidentiality of the system.
data_source:
    - Osquery Results
search: |-
    | from datamodel Alerts.Alerts
    | search app=osquery:results name=pack_osx-attacks_Keyboard_Event_Taps
    | rename columns.cmdline as cmd, columns.name as process_name, columns.pid as process_id
    | dedup host,process_name
    | table host,process_name, cmd, process_id
    | `processes_tapping_keyboard_events_filter`
how_to_implement: In order to properly run this search, Splunk needs to ingest data from your osquery deployed agents with the [osx-attacks.conf](https://github.com/facebook/osquery/blob/experimental/packs/osx-attacks.conf#L599) pack enabled. Also the [TA-OSquery](https://github.com/d1vious/TA-osquery) must be deployed across your indexers and universal forwarders in order to have the osquery data populate the Alerts data model.
known_false_positives: There might be some false positives as keyboard event taps are used by processes like Siri and Zoom video chat, for some good examples of processes to exclude please see [this](https://github.com/facebook/osquery/pull/5345#issuecomment-454639161) comment.
references: []
rba:
    message: Keyboard Event Tapping observed on $host$
    risk_objects:
        - field: host
          type: system
          score: 50
    threat_objects: []
tags:
    analytic_story:
        - ColdRoot MacOS RAT
        - APT37 Rustonotto and FadeStealer
    asset_type: Endpoint
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: threat