Potential Persistence Via PlistBuddy
Detects potential persistence activity using LaunchAgents or LaunchDaemons via the PlistBuddy utility
Sigma rule (View on GitHub)
1title: Potential Persistence Via PlistBuddy
2id: 65d506d3-fcfe-4071-b4b2-bcefe721bbbb
3status: test
4description: Detects potential persistence activity using LaunchAgents or LaunchDaemons via the PlistBuddy utility
5references:
6 - https://redcanary.com/blog/clipping-silver-sparrows-wings/
7 - https://www.manpagez.com/man/8/PlistBuddy/
8author: Sohan G (D4rkCiph3r)
9date: 2023/02/18
10tags:
11 - attack.persistence
12 - attack.t1543.001
13 - attack.t1543.004
14logsource:
15 category: process_creation
16 product: macos
17detection:
18 selection:
19 Image|endswith: '/PlistBuddy'
20 CommandLine|contains|all:
21 - 'RunAtLoad'
22 - 'true'
23 CommandLine|contains:
24 - 'LaunchAgents'
25 - 'LaunchDaemons'
26 condition: selection
27falsepositives:
28 - Unknown
29level: high
References
Related rules
- Allow Service Access Using Security Descriptor Tampering Via Sc.EXE
- Change Default File Association To Executable Via Assoc
- File Creation In Suspicious Directory By Msdt.EXE
- File Download Via Bitsadmin To An Uncommon Target Folder
- PSEXEC Remote Execution File Artefact