
Summary
This rule detects suspicious usage of PlistBuddy, a native macOS utility for managing property list (.plist) files. Through the analysis of data collected from Endpoint Detection and Response (EDR) tools, this detection focuses on process names and command-line inputs involving PlistBuddy. The significance of this detection stems from PlistBuddy’s ability to modify LaunchAgents, which malware such as Silver Sparrow may exploit to establish persistence on a compromised machine. Malicious use of PlistBuddy can enable attackers to maintain presence, run arbitrary commands, and potentially escalate privileges on macOS devices. The use of Sysmon EventID 1 and Windows Event Log Security 4688, along with CrowdStrike ProcessRollup2, provides the necessary telemetry for this detection.
Categories
- macOS
- Endpoint
Data Sources
- Pod
- User Account
- Process
- File
ATT&CK Techniques
- T1543.001
- T1543
Created: 2024-11-13