Name:Suspicious PlistBuddy Usage via OSquery id:20ba6c32-c733-4a32-b64e-2688cf231399 version:4 date:2024-10-17 author:Michael Haag, Splunk status:experimental type:TTP Description:The following analytic detects the use of the PlistBuddy utility on macOS to create or modify property list (.plist) files. It leverages OSQuery to monitor process events, specifically looking for commands that interact with LaunchAgents and set properties like RunAtLoad. This activity is significant because PlistBuddy can be used to establish persistence mechanisms, as seen in malware like Silver Sparrow. If confirmed malicious, this could allow an attacker to maintain persistence, execute arbitrary commands, and potentially escalate privileges on the compromised system. Data_source:
search:`osquery_process` "columns.cmdline"="*LaunchAgents*" OR "columns.cmdline"="*RunAtLoad*" OR "columns.cmdline"="*true*" | `suspicious_plistbuddy_usage_via_osquery_filter`
how_to_implement:OSQuery must be installed and configured to pick up process events (info at https://osquery.io) as well as using the Splunk OSQuery Add-on https://splunkbase.splunk.com/app/4402. Modify the macro and validate fields are correct. known_false_positives:Some legitimate applications may use PlistBuddy to create or modify property lists and possibly generate false positives. Review the property list being modified or created to confirm. References: -https://www.marcosantadev.com/manage-plist-files-plistbuddy/ drilldown_searches:
: tags: analytic_story: - 'Silver Sparrow' asset_type:Endpoint confidence:50 impact:50 message:tbd mitre_attack_id: - 'T1543.001' - 'T1543' observable: name:'dest' type:'Hostname' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'columns.cmdline' risk_score:25 security_domain:endpoint
