Potential Persistence Via PlistBuddy
Detects potential persistence activity using LaunchAgents or LaunchDaemons via the PlistBuddy utility
Sigma rule (View on GitHub)
1title: Potential Persistence Via PlistBuddy
2id: 65d506d3-fcfe-4071-b4b2-bcefe721bbbb
3status: test
4description: Detects potential persistence activity using LaunchAgents or LaunchDaemons via the PlistBuddy utility
5references:
6 - https://redcanary.com/blog/clipping-silver-sparrows-wings/
7 - https://www.manpagez.com/man/8/PlistBuddy/
8author: Sohan G (D4rkCiph3r)
9date: 2023-02-18
10tags:
11 - attack.persistence
12 - attack.t1543.001
13 - attack.t1543.004
14logsource:
15 category: process_creation
16 product: macos
17detection:
18 selection:
19 Image|endswith: '/PlistBuddy'
20 CommandLine|contains|all:
21 - 'RunAtLoad'
22 - 'true'
23 CommandLine|contains:
24 - 'LaunchAgents'
25 - 'LaunchDaemons'
26 condition: selection
27falsepositives:
28 - Unknown
29level: high
References
-
Silver Sparrow includes a binary compiled to run on Apple’s new M1 chips but lacks one very important feature: a payload
Read More -
manpagez: man pages & more man PlistBuddy(8) man pages By Section Alphabetically Other versions of PlistBuddy PlistBuddy(8) BSD System Manager's Manual PlistBuddy(8) NAME PlistBuddy -- read and wri...
Read More
Related rules
- Launch Agent/Daemon Execution Via Launchctl
- A Member Was Added to a Security-Enabled Global Group
- A Member Was Removed From a Security-Enabled Global Group
- A New Trust Was Created To A Domain
- A Security-Enabled Global Group Was Deleted