Techniques
Sample rules
Suspicious PlistBuddy Usage
- source: splunk
- technicques:
- T1543.001
- T1543
Description
The following analytic identifies the use of a native MacOS utility, PlistBuddy, creating or modifying a properly list (.plist) file. In the instance of Silver Sparrow, the following commands were executed:
- PlistBuddy -c “Add :Label string init_verx” ~/Library/Launchagents/init_verx.plist
- PlistBuddy -c “Add :RunAtLoad bool true” ~/Library/Launchagents/init_verx.plist
- PlistBuddy -c “Add :StartInterval integer 3600” ~/Library/Launchagents/init_verx.plist
- PlistBuddy -c “Add :ProgramArguments array” ~/Library/Launchagents/init_verx.plist
- PlistBuddy -c “Add :ProgramArguments:0 string /bin/sh” ~/Library/Launchagents/init_verx.plist
- PlistBuddy -c “Add :ProgramArguments:1 string -c” ~/Library/Launchagents/init_verx.plist Upon triage, capture the property list file being written to disk and review for further indicators. Contain the endpoint and triage further.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=PlistBuddy (Processes.process=*LaunchAgents* OR Processes.process=*RunAtLoad* OR Processes.process=*true*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `suspicious_plistbuddy_usage_filter`
Suspicious PlistBuddy Usage via OSquery
- source: splunk
- technicques:
- T1543.001
- T1543
Description
The following analytic identifies the use of a native MacOS utility, PlistBuddy, creating or modifying a properly list (.plist) file. In the instance of Silver Sparrow, the following commands were executed:
- PlistBuddy -c “Add :Label string init_verx” ~/Library/Launchagents/init_verx.plist
- PlistBuddy -c “Add :RunAtLoad bool true” ~/Library/Launchagents/init_verx.plist
- PlistBuddy -c “Add :StartInterval integer 3600” ~/Library/Launchagents/init_verx.plist
- PlistBuddy -c “Add :ProgramArguments array” ~/Library/Launchagents/init_verx.plist
- PlistBuddy -c “Add :ProgramArguments:0 string /bin/sh” ~/Library/Launchagents/init_verx.plist
- PlistBuddy -c “Add :ProgramArguments:1 string -c” ~/Library/Launchagents/init_verx.plist Upon triage, capture the property list file being written to disk and review for further indicators. Contain the endpoint and triage further.
Detection logic
`osquery_process` "columns.cmdline"="*LaunchAgents*" OR "columns.cmdline"="*RunAtLoad*" OR "columns.cmdline"="*true*"
| `suspicious_plistbuddy_usage_via_osquery_filter`