Finder Sync Plugin Registered and Enabled

Finder Sync plugins enable users to extend Finder’s functionality by modifying the user interface. Adversaries may abuse this feature by adding a rogue Finder Plugin to repeatedly execute malicious payloads for persistence.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2020/12/18"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Finder Sync plugins enable users to extend Finder’s functionality by modifying the user interface. Adversaries may abuse
 11this feature by adding a rogue Finder Plugin to repeatedly execute malicious payloads for persistence.
 12"""
 13false_positives = ["Trusted Finder Sync Plugins"]
 14from = "now-9m"
 15index = ["logs-endpoint.events.*"]
 16language = "eql"
 17license = "Elastic License v2"
 18name = "Finder Sync Plugin Registered and Enabled"
 19references = [
 20    "https://github.com/specterops/presentations/raw/master/Leo%20Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf",
 21]
 22risk_score = 47
 23rule_id = "37f638ea-909d-4f94-9248-edd21e4a9906"
 24setup = """## Setup
 25
 26This rule requires data coming in from Elastic Defend.
 27
 28### Elastic Defend Integration Setup
 29Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
 30
 31#### Prerequisite Requirements:
 32- Fleet is required for Elastic Defend.
 33- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 34
 35#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
 36- Go to the Kibana home page and click "Add integrations".
 37- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
 38- Click "Add Elastic Defend".
 39- Configure the integration name and optionally add a description.
 40- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
 41- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
 42- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
 43- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
 44For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
 45- Click "Save and Continue".
 46- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 47For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 48"""
 49severity = "medium"
 50tags = [
 51    "Domain: Endpoint",
 52    "OS: macOS",
 53    "Use Case: Threat Detection",
 54    "Tactic: Persistence",
 55    "Data Source: Elastic Defend",
 56    "Resources: Investigation Guide",
 57]
 58timestamp_override = "event.ingested"
 59type = "eql"
 60
 61query = '''
 62process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "pluginkit" and
 63  process.args : "-e" and process.args : "use" and process.args : "-i" and
 64  not process.args :
 65  (
 66    "com.google.GoogleDrive.FinderSyncAPIExtension",
 67    "com.google.drivefs.findersync",
 68    "com.boxcryptor.osx.Rednif",
 69    "com.adobe.accmac.ACCFinderSync",
 70    "com.microsoft.OneDrive.FinderSync",
 71    "com.insynchq.Insync.Insync-Finder-Integration",
 72    "com.box.desktop.findersyncext"
 73  ) and
 74  not process.parent.executable : ("/Library/Application Support/IDriveforMac/IDriveHelperTools/FinderPluginApp.app/Contents/MacOS/FinderPluginApp",
 75                                   "/Applications/Google Drive.app/Contents/MacOS/Google Drive") and
 76  not process.Ext.effective_parent.executable : ("/Applications/Google Drive.app/Contents/MacOS/Google Drive",
 77                                                 "/usr/local/jamf/bin/jamf",
 78                                                 "/Applications/Nextcloud.app/Contents/MacOS/Nextcloud",
 79                                                 "/Library/Application Support/Checkpoint/Endpoint Security/AMFinderExtensions.app/Contents/MacOS/AMFinderExtensions",
 80                                                 "/Applications/pCloud Drive.app/Contents/MacOS/pCloud Drive")
 81'''
 82note = """## Triage and analysis
 83
 84> **Disclaimer**:
 85> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 86
 87### Investigating Finder Sync Plugin Registered and Enabled
 88
 89Finder Sync plugins enhance macOS Finder by allowing third-party applications to integrate and modify its interface. While beneficial for legitimate software, adversaries can exploit this feature to maintain persistence by registering malicious plugins. The detection rule identifies suspicious plugin registrations by monitoring the `pluginkit` process, filtering out known safe applications, and flagging unusual activity, thus helping analysts spot potential threats.
 90
 91### Possible investigation steps
 92
 93- Review the process details to confirm the execution of the `pluginkit` process with the specific arguments `-e`, `use`, and `-i`, which indicate the registration of a Finder Sync plugin.
 94- Cross-reference the plugin identifier found in the process arguments against the list of known safe applications to determine if it is potentially malicious.
 95- Investigate the parent process of the `pluginkit` execution to identify any unusual or unauthorized parent processes that might suggest malicious activity.
 96- Check the system for any recent installations or updates of applications that might have introduced the suspicious Finder Sync plugin.
 97- Analyze the behavior and origin of the executable associated with the suspicious plugin to assess its legitimacy and potential threat level.
 98- Review system logs and other security alerts around the time of the plugin registration to identify any correlated suspicious activities or anomalies.
 99
100### False positive analysis
101
102- Known safe applications like Google Drive, Boxcryptor, Adobe, Microsoft OneDrive, Insync, and Box are already excluded from triggering false positives. Ensure these applications are up-to-date to maintain their exclusion status.
103- If a legitimate application not listed in the exclusions is causing false positives, consider adding its specific Finder Sync plugin identifier to the exclusion list after verifying its safety.
104- Monitor the parent process paths of legitimate applications. If a trusted application frequently triggers alerts, add its executable path to the exclusion list to prevent unnecessary alerts.
105- Regularly review and update the exclusion list to accommodate new versions or additional legitimate applications that may introduce Finder Sync plugins.
106- Educate users on the importance of installing applications from trusted sources to minimize the risk of false positives and ensure that only legitimate plugins are registered.
107
108### Response and remediation
109
110- Immediately isolate the affected macOS system from the network to prevent potential lateral movement or data exfiltration by the malicious Finder Sync plugin.
111- Terminate the suspicious `pluginkit` process to stop the execution of the rogue Finder Sync plugin and prevent further persistence.
112- Remove the malicious Finder Sync plugin by unregistering it using the `pluginkit` command with appropriate flags to ensure it cannot be re-enabled.
113- Conduct a thorough scan of the system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malicious payloads or artifacts.
114- Review system logs and the Finder Sync plugin registration history to identify any unauthorized changes or additional compromised systems.
115- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if the threat is part of a larger attack campaign.
116- Implement enhanced monitoring for `pluginkit` activity and similar persistence mechanisms to detect and respond to future attempts promptly."""
117
118
119[[rule.threat]]
120framework = "MITRE ATT&CK"
121[[rule.threat.technique]]
122id = "T1543"
123name = "Create or Modify System Process"
124reference = "https://attack.mitre.org/techniques/T1543/"
125
126
127[rule.threat.tactic]
128id = "TA0003"
129name = "Persistence"
130reference = "https://attack.mitre.org/tactics/TA0003/"

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating Finder Sync Plugin Registered and Enabled

Finder Sync plugins enhance macOS Finder by allowing third-party applications to integrate and modify its interface. While beneficial for legitimate software, adversaries can exploit this feature to maintain persistence by registering malicious plugins. The detection rule identifies suspicious plugin registrations by monitoring the pluginkit process, filtering out known safe applications, and flagging unusual activity, thus helping analysts spot potential threats.

Possible investigation steps

  • Review the process details to confirm the execution of the pluginkit process with the specific arguments -e, use, and -i, which indicate the registration of a Finder Sync plugin.
  • Cross-reference the plugin identifier found in the process arguments against the list of known safe applications to determine if it is potentially malicious.
  • Investigate the parent process of the pluginkit execution to identify any unusual or unauthorized parent processes that might suggest malicious activity.
  • Check the system for any recent installations or updates of applications that might have introduced the suspicious Finder Sync plugin.
  • Analyze the behavior and origin of the executable associated with the suspicious plugin to assess its legitimacy and potential threat level.
  • Review system logs and other security alerts around the time of the plugin registration to identify any correlated suspicious activities or anomalies.

False positive analysis

  • Known safe applications like Google Drive, Boxcryptor, Adobe, Microsoft OneDrive, Insync, and Box are already excluded from triggering false positives. Ensure these applications are up-to-date to maintain their exclusion status.
  • If a legitimate application not listed in the exclusions is causing false positives, consider adding its specific Finder Sync plugin identifier to the exclusion list after verifying its safety.
  • Monitor the parent process paths of legitimate applications. If a trusted application frequently triggers alerts, add its executable path to the exclusion list to prevent unnecessary alerts.
  • Regularly review and update the exclusion list to accommodate new versions or additional legitimate applications that may introduce Finder Sync plugins.
  • Educate users on the importance of installing applications from trusted sources to minimize the risk of false positives and ensure that only legitimate plugins are registered.

Response and remediation

  • Immediately isolate the affected macOS system from the network to prevent potential lateral movement or data exfiltration by the malicious Finder Sync plugin.
  • Terminate the suspicious pluginkit process to stop the execution of the rogue Finder Sync plugin and prevent further persistence.
  • Remove the malicious Finder Sync plugin by unregistering it using the pluginkit command with appropriate flags to ensure it cannot be re-enabled.
  • Conduct a thorough scan of the system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malicious payloads or artifacts.
  • Review system logs and the Finder Sync plugin registration history to identify any unauthorized changes or additional compromised systems.
  • Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if the threat is part of a larger attack campaign.
  • Implement enhanced monitoring for pluginkit activity and similar persistence mechanisms to detect and respond to future attempts promptly.

References

Related rules

to-top