Name:MacOS plutil id:c11f2b57-92c1-4cd2-b46c-064eafb833ac version:5 date:2024-09-30 author:Patrick Bareiss, Splunk status:production type:TTP Description:The following analytic detects the usage of the `plutil` command to modify plist files on macOS systems. It leverages osquery to monitor process events, specifically looking for executions of `/usr/bin/plutil`. This activity is significant because adversaries can use `plutil` to alter plist files, potentially adding malicious binaries or command-line arguments that execute upon user logon or system startup. If confirmed malicious, this could allow attackers to achieve persistence, execute arbitrary code, or escalate privileges, posing a significant threat to the system's security. Data_source:
-osquery
search:`osquery_macro` name=es_process_events columns.path=/usr/bin/plutil | rename columns.* as * | stats count min(_time) as firstTime max(_time) as lastTime by username host cmdline pid path parent signing_id | rename username as user, cmdline as process, path as process_path, host as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `macos_plutil_filter`
how_to_implement:This detection uses osquery and endpoint security on MacOS. Follow the link in references, which describes how to setup process auditing in MacOS with endpoint security and osquery. known_false_positives:Administrators using plutil to change plist files. References: -https://osquery.readthedocs.io/en/stable/deployment/process-auditing/ drilldown_searches: name:'View the detection results for - "$user$" and "$dest$"' search:'%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$user$" and "$dest$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Living Off The Land' asset_type:Endpoint confidence:50 impact:50 message:plutil are executed on $dest$ from $user$ mitre_attack_id: - 'T1647' observable: name:'user' type:'User' - role: - 'Victim' name:'dest' type:'Hostname' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'columns.cmdline' - 'columns.pid' - 'columns.parent' - 'columns.path' - 'columns.signing_id' - 'columns.username' - 'host' risk_score:25 security_domain:endpoint
