splApache-2.0from splunk/security_content
MacOS plutil
The following analytic detects the usage of the `plutil` command to modify plist files on macOS systems. It leverages osquery to monitor process events, specifically looking for executions of `/usr/bin/plutil`. This activity is significant because adversaries can use `plutil` to alter plist files, potentially adding malicious binaries or command-line arguments that execute upon user logon or system startup. If confirmed malicious, this could allow attackers to achieve persistence, execute arbitrary code, or escalate privileges, posing a significant threat to the system's security.
Quality
67
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/macos_plutil.yml
`osquery_macro` name=es_process_events columns.path=/usr/bin/plutil
| rename columns.* as *
| stats count min(_time) as firstTime max(_time) as lastTime
BY username host cmdline
pid path parent
signing_id
| rename username as user, cmdline as process, path as process_path, host as dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `macos_plutil_filter`