Potential Persistence Via PlistBuddy
Detects potential persistence activity using LaunchAgents or LaunchDaemons via the PlistBuddy utility
Sigma rule (View on GitHub)
1title: Potential Persistence Via PlistBuddy
2id: 65d506d3-fcfe-4071-b4b2-bcefe721bbbb
3status: test
4description: Detects potential persistence activity using LaunchAgents or LaunchDaemons via the PlistBuddy utility
5references:
6 - https://redcanary.com/blog/clipping-silver-sparrows-wings/
7 - https://www.manpagez.com/man/8/PlistBuddy/
8author: Sohan G (D4rkCiph3r)
9date: 2023-02-18
10tags:
11 - attack.privilege-escalation
12 - attack.persistence
13 - attack.t1543.001
14 - attack.t1543.004
15logsource:
16 category: process_creation
17 product: macos
18detection:
19 selection:
20 Image|endswith: '/PlistBuddy'
21 CommandLine|contains|all:
22 - 'RunAtLoad'
23 - 'true'
24 CommandLine|contains:
25 - 'LaunchAgents'
26 - 'LaunchDaemons'
27 condition: selection
28falsepositives:
29 - Unknown
30level: high
References
-
Silver Sparrow includes a binary compiled to run on Apple’s new M1 chips but lacks one very important feature: a payload
Read More -
manpagez: man pages & more man PlistBuddy(8) man pages By Section Alphabetically Other versions of PlistBuddy PlistBuddy(8) BSD System Manager's Manual PlistBuddy(8) NAME PlistBuddy -- read and wri...
Read More
Related rules
- Launch Agent/Daemon Execution Via Launchctl
- A Member Was Added to a Security-Enabled Global Group
- A Member Was Removed From a Security-Enabled Global Group
- A New Trust Was Created To A Domain
- A Security-Enabled Global Group Was Deleted