heroui logo

Suspicious PlistBuddy Usage

Splunk Security Content

View Source
Summary
This rule detects suspicious usage of PlistBuddy, a native macOS utility for managing property list (.plist) files. Through the analysis of data collected from Endpoint Detection and Response (EDR) tools, this detection focuses on process names and command-line inputs involving PlistBuddy. The significance of this detection stems from PlistBuddy’s ability to modify LaunchAgents, which malware such as Silver Sparrow may exploit to establish persistence on a compromised machine. Malicious use of PlistBuddy can enable attackers to maintain presence, run arbitrary commands, and potentially escalate privileges on macOS devices. The use of Sysmon EventID 1 and Windows Event Log Security 4688, along with CrowdStrike ProcessRollup2, provides the necessary telemetry for this detection.
Categories
  • macOS
  • Endpoint
Data Sources
  • Pod
  • User Account
  • Process
  • File
ATT&CK Techniques
  • T1543.001
  • T1543
Created: 2024-11-13