LoFP / some legitimate applications may use plistbuddy to create or modify property lists and possibly generate false positives. review the property list being modified or created to confirm.

Techniques

• T1543
• T1543.001

Sample rules

Suspicious PlistBuddy Usage

• source: splunk
• technicques:
  • T1543.001
  • T1543

Description

The following analytic identifies the use of a native MacOS utility, PlistBuddy, creating or modifying a properly list (.plist) file. In the instance of Silver Sparrow, the following commands were executed:

• PlistBuddy -c “Add :Label string init_verx” ~/Library/Launchagents/init_verx.plist
• PlistBuddy -c “Add :RunAtLoad bool true” ~/Library/Launchagents/init_verx.plist
• PlistBuddy -c “Add :StartInterval integer 3600” ~/Library/Launchagents/init_verx.plist
• PlistBuddy -c “Add :ProgramArguments array” ~/Library/Launchagents/init_verx.plist
• PlistBuddy -c “Add :ProgramArguments:0 string /bin/sh” ~/Library/Launchagents/init_verx.plist
• PlistBuddy -c “Add :ProgramArguments:1 string -c” ~/Library/Launchagents/init_verx.plist Upon triage, capture the property list file being written to disk and review for further indicators. Contain the endpoint and triage further.

Detection logic

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=PlistBuddy (Processes.process=*LaunchAgents* OR Processes.process=*RunAtLoad* OR Processes.process=*true*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
|  `suspicious_plistbuddy_usage_filter`

Suspicious PlistBuddy Usage via OSquery

• source: splunk
• technicques:
  • T1543.001
  • T1543

Description

The following analytic identifies the use of a native MacOS utility, PlistBuddy, creating or modifying a properly list (.plist) file. In the instance of Silver Sparrow, the following commands were executed:

• PlistBuddy -c “Add :Label string init_verx” ~/Library/Launchagents/init_verx.plist
• PlistBuddy -c “Add :RunAtLoad bool true” ~/Library/Launchagents/init_verx.plist
• PlistBuddy -c “Add :StartInterval integer 3600” ~/Library/Launchagents/init_verx.plist
• PlistBuddy -c “Add :ProgramArguments array” ~/Library/Launchagents/init_verx.plist
• PlistBuddy -c “Add :ProgramArguments:0 string /bin/sh” ~/Library/Launchagents/init_verx.plist
• PlistBuddy -c “Add :ProgramArguments:1 string -c” ~/Library/Launchagents/init_verx.plist Upon triage, capture the property list file being written to disk and review for further indicators. Contain the endpoint and triage further.

Detection logic

`osquery_process` "columns.cmdline"="*LaunchAgents*" OR "columns.cmdline"="*RunAtLoad*" OR "columns.cmdline"="*true*" 
|  `suspicious_plistbuddy_usage_via_osquery_filter`