administrators using plutil to change plist files.

T1647
endpoint
splunk

Techniques

T1647

Sample rules

MacOS plutil

source: splunk
technicques:
- T1647

Description

Detect usage of plutil to modify plist files. Adversaries can modiy plist files to executed binaries or add command line arguments. Plist files in auto-run locations are executed upon user logon or system startup.

Detection logic

`osquery` name=es_process_events columns.path=/usr/bin/plutil 
| rename columns.* as * 
| stats count  min(_time) as firstTime max(_time) as lastTime by username host cmdline pid path parent signing_id 
| rename username as user, cmdline as process, path as process_path, host as dest 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `macos_plutil_filter`