[metadata] creation_date = "2020/12/18" integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" updated_date = "2023/02/22" [rule] author = ["Elastic"] description = """ Finder Sync plugins enable users to extend Finder’s functionality by modifying the user interface. Adversaries may abuse this feature by adding a rogue Finder Plugin to repeatedly execute malicious payloads for persistence. """ false_positives = ["Trusted Finder Sync Plugins"] from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Finder Sync Plugin Registered and Enabled" references = [ "https://github.com/specterops/presentations/raw/master/Leo%20Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf", ] risk_score = 47 rule_id = "37f638ea-909d-4f94-9248-edd21e4a9906" severity = "medium" tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"] timestamp_override = "event.ingested" type = "eql" query = ''' process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "pluginkit" and process.args : "-e" and process.args : "use" and process.args : "-i" and not process.args : ( "com.google.GoogleDrive.FinderSyncAPIExtension", "com.google.drivefs.findersync", "com.boxcryptor.osx.Rednif", "com.adobe.accmac.ACCFinderSync", "com.microsoft.OneDrive.FinderSync", "com.insynchq.Insync.Insync-Finder-Integration", "com.box.desktop.findersyncext" ) and not process.parent.executable : ( "/Library/Application Support/IDriveforMac/IDriveHelperTools/FinderPluginApp.app/Contents/MacOS/FinderPluginApp" ) ''' [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/"