Techniques
Sample rules
Finder Sync Plugin Registered and Enabled
- source: elastic
- technicques:
- T1543
Description
Finder Sync plugins enable users to extend Finder’s functionality by modifying the user interface. Adversaries may abuse this feature by adding a rogue Finder Plugin to repeatedly execute malicious payloads for persistence.
Detection logic
process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "pluginkit" and
process.args : "-e" and process.args : "use" and process.args : "-i" and
not process.args :
(
"com.google.GoogleDrive.FinderSyncAPIExtension",
"com.google.drivefs.findersync",
"com.boxcryptor.osx.Rednif",
"com.adobe.accmac.ACCFinderSync",
"com.microsoft.OneDrive.FinderSync",
"com.insynchq.Insync.Insync-Finder-Integration",
"com.box.desktop.findersyncext"
) and
not process.parent.executable : (
"/Library/Application Support/IDriveforMac/IDriveHelperTools/FinderPluginApp.app/Contents/MacOS/FinderPluginApp"
)