Techniques
Sample rules
MacOS plutil
- source: splunk
- technicques:
- T1647
Description
The following analytic detects the usage of the plutil command to modify plist files on macOS systems. It leverages osquery to monitor process events, specifically looking for executions of /usr/bin/plutil. This activity is significant because adversaries can use plutil to alter plist files, potentially adding malicious binaries or command-line arguments that execute upon user logon or system startup. If confirmed malicious, this could allow attackers to achieve persistence, execute arbitrary code, or escalate privileges, posing a significant threat to the system’s security.
Detection logic
`osquery_macro` name=es_process_events columns.path=/usr/bin/plutil
| rename columns.* as *
| stats count min(_time) as firstTime max(_time) as lastTime by username host cmdline pid path parent signing_id
| rename username as user, cmdline as process, path as process_path, host as dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `macos_plutil_filter`