Event Taps

Overview

Evidence: Event Taps Description: Collect Event Taps Category: System Platform: macos Short Name: evtps Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

Event Taps are a macOS mechanism that allows applications to monitor and modify system-wide input events such as keyboard presses, mouse movements, and clicks. While legitimate applications use Event Taps for accessibility features and input monitoring, malicious software often abuses this capability for keylogging, credential theft, and surveillance. Monitoring active Event Taps is crucial for detecting potentially malicious activity and privacy violations.

Data Collected

This collector gathers structured data about event taps.

Event Taps Data

Collection Method

This collector queries osquery's event_taps table joined with process and signature information to identify all active Event Taps. It filters out common system processes (ViewBridgeAuxiliary, universalaccessd, AXVisualSupportAgent) and captures the tapped events, process identifier, code signing status, team identifier, and signing authority. This provides visibility into which applications are monitoring system events.

Forensic Value

Event Tap monitoring is critical for detecting keyloggers, spyware, credential theft tools, and surveillance malware. Unsigned or suspicious Event Taps often indicate malicious activity. This evidence helps identify privacy violations, data exfiltration mechanisms, and persistent monitoring tools. The signing information allows investigators to assess legitimacy and track malicious software across systems. Event Taps are a common technique used by advanced persistent threats and commercial spyware.