Techniques
Sample rules
MacOS plutil
- source: splunk
- technicques:
Description
The following analytic detects the usage of the plutil command to modify plist files on macOS systems. It leverages osquery to monitor process events, specifically looking for executions of /usr/bin/plutil. This activity is significant because adversaries can use plutil to alter plist files, potentially adding malicious binaries or command-line arguments that execute upon user logon or system startup. If confirmed malicious, this could allow attackers to achieve persistence, execute arbitrary code, or escalate privileges, posing a significant threat to the system’s security.
Detection logic
`osquery_macro` name=es_process_events columns.path=/usr/bin/plutil
| rename columns.* as *
| stats count min(_time) as firstTime max(_time) as lastTime
BY username host cmdline
pid path parent
signing_id
| rename username as user, cmdline as process, path as process_path, host as dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `macos_plutil_filter`