trusted finder sync plugins

t1543
macos
elastic

Techniques

T1543

Sample rules

Finder Sync Plugin Registered and Enabled

source: elastic
technicques:
- T1543

Description

Finder Sync plugins enable users to extend Finder’s functionality by modifying the user interface. Adversaries may abuse this feature by adding a rogue Finder Plugin to repeatedly execute malicious payloads for persistence.

Detection logic

process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name == "pluginkit" and
  process.args == "-e" and process.args like~ "use" and process.args == "-i" and
  (process.name like~ ("python*", "node", "osascript", "bash", "sh", "zsh") or (process.parent.code_signature.exists == false or process.parent.code_signature.trusted == false))