From 2204459e73751d1a3d1a4167e8ec16fb90b7b840 Mon Sep 17 00:00:00 2001 From: Mika Ayenson Date: Tue, 23 Aug 2022 09:59:43 -0400 Subject: [PATCH] [Rule Tuning] Finder Sync Plugin Registered and Enabled (#2172) --- ...sistence_finder_sync_plugin_pluginkit.toml | 32 +++++++++---------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/rules/macos/persistence_finder_sync_plugin_pluginkit.toml b/rules/macos/persistence_finder_sync_plugin_pluginkit.toml index 15a791837..967ae50d8 100644 --- a/rules/macos/persistence_finder_sync_plugin_pluginkit.toml +++ b/rules/macos/persistence_finder_sync_plugin_pluginkit.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/18" maturity = "production" -updated_date = "2021/08/25" +updated_date = "2022/08/15" [rule] author = ["Elastic"] @@ -27,21 +27,21 @@ tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"] type = "eql" query = ''' -sequence by host.id, user.id with maxspan = 5s - [process where event.type in ("start", "process_started") and process.name : "pluginkit" and process.args : "-a"] - [process where event.type in ("start", "process_started") and process.name : "pluginkit" and - process.args : "-e" and process.args : "use" and process.args : "-i" and - not process.args : - ( - "com.google.GoogleDrive.FinderSyncAPIExtension", - "com.google.drivefs.findersync", - "com.boxcryptor.osx.Rednif", - "com.adobe.accmac.ACCFinderSync", - "com.microsoft.OneDrive.FinderSync", - "com.insynchq.Insync.Insync-Finder-Integration", - "com.box.desktop.findersyncext" - ) - ] +process where event.type in ("start", "process_started") and process.name : "pluginkit" and + process.args : "-e" and process.args : "use" and process.args : "-i" and + not process.args : + ( + "com.google.GoogleDrive.FinderSyncAPIExtension", + "com.google.drivefs.findersync", + "com.boxcryptor.osx.Rednif", + "com.adobe.accmac.ACCFinderSync", + "com.microsoft.OneDrive.FinderSync", + "com.insynchq.Insync.Insync-Finder-Integration", + "com.box.desktop.findersyncext" + ) and + not process.parent.executable : ( + "/Library/Application Support/IDriveforMac/IDriveHelperTools/FinderPluginApp.app/Contents/MacOS/FinderPluginApp" + ) '''