Techniques
Sample rules
Finder Sync Plugin Registered and Enabled
- source: elastic
- technicques:
- T1543
Description
Finder Sync plugins enable users to extend Finder’s functionality by modifying the user interface. Adversaries may abuse this feature by adding a rogue Finder Plugin to repeatedly execute malicious payloads for persistence.
Detection logic
process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name == "pluginkit" and
process.args == "-e" and process.args like~ "use" and process.args == "-i" and
(process.name like~ ("python*", "node", "osascript", "bash", "sh", "zsh") or (process.parent.code_signature.exists == false or process.parent.code_signature.trusted == false))