splApache-2.0from splunk/security_content
Suspicious PlistBuddy Usage
The following analytic identifies the use of the native macOS utility, PlistBuddy, to create or modify property list (.plist) files. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions involving PlistBuddy. This activity is significant because PlistBuddy can be used to establish persistence by modifying LaunchAgents, as seen in the Silver Sparrow malware. If confirmed malicious, this could allow an attacker to maintain persistence, execute arbitrary commands, and potentially escalate privileges on the compromised macOS system.
Quality
67
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/suspicious_plistbuddy_usage.yml
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE Processes.process_name=PlistBuddy (Processes.process=*LaunchAgents*
OR
Processes.process=*RunAtLoad*
OR
Processes.process=*true*)
BY Processes.dest Processes.user Processes.parent_process
Processes.process_name Processes.process Processes.process_id
Processes.parent_process_id
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `suspicious_plistbuddy_usage_filter`