Event Taps
Overview
Section titled “Overview”Evidence: Event Taps
Description: Collect Event Taps
Category: System
Platform: macos
Short Name: evtps
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”Event Taps are a macOS mechanism that allows applications to monitor and modify system-wide input events such as keyboard presses, mouse movements, and clicks. While legitimate applications use Event Taps for accessibility features and input monitoring, malicious software often abuses this capability for keylogging, credential theft, and surveillance. Monitoring active Event Taps is crucial for detecting potentially malicious activity and privacy violations.
Data Collected
Section titled “Data Collected”This collector gathers structured data about event taps.
Event Taps Data
Section titled “Event Taps Data”| Field | Description | Example |
|---|---|---|
EventTapped | Event Tapped | Example value |
Identifier | Identifier | Example value |
Signed | Signed | 123 |
TeamIdentifier | Team Identifier | Example value |
Authority | Authority | Example value |
Collection Method
Section titled “Collection Method”This collector queries osquery’s event_taps table joined with process and signature information to identify all active Event Taps. It filters out common system processes (ViewBridgeAuxiliary, universalaccessd, AXVisualSupportAgent) and captures the tapped events, process identifier, code signing status, team identifier, and signing authority. This provides visibility into which applications are monitoring system events.
Forensic Value
Section titled “Forensic Value”Event Tap monitoring is critical for detecting keyloggers, spyware, credential theft tools, and surveillance malware. Unsigned or suspicious Event Taps often indicate malicious activity. This evidence helps identify privacy violations, data exfiltration mechanisms, and persistent monitoring tools. The signing information allows investigators to assess legitimacy and track malicious software across systems. Event Taps are a common technique used by advanced persistent threats and commercial spyware.