sigma-rules/rules/macos/persistence_finder_sync_plugin_pluginkit.toml

[metadata]
creation_date = "2020/12/18"
maturity = "production"
updated_date = "2020/12/18"

[rule]
author = ["Elastic"]
description = """
Finder Sync plugins enable users to extend Finder’s functionality by modifying the user interface. Adversaries may
abuse this feature by adding a rogue Finder Plugin to repeatedly execute malicious payloads for persistence.
"""
false_positives = ["Trusted Finder Sync Plugins"]
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
language = "eql"
license = "Elastic License"
name = "Finder Sync Plugin Registered and Enabled"
references = [
    "https://github.com/specterops/presentations/raw/master/Leo Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf",
]
risk_score = 47
rule_id = "37f638ea-909d-4f94-9248-edd21e4a9906"
severity = "medium"
tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"]
type = "eql"

query = '''
sequence by host.id, user.id with maxspan = 5s
  [process where event.type in ("start", "process_started") and process.name : "pluginkit" and process.args : "-a"]
  [process where event.type in ("start", "process_started") and process.name : "pluginkit" and
    process.args : "-e" and process.args : "use" and process.args : "-i" and
    not process.args :
    (
      "com.google.GoogleDrive.FinderSyncAPIExtension",
      "com.google.drivefs.findersync",
      "com.boxcryptor.osx.Rednif",
      "com.adobe.accmac.ACCFinderSync",
      "com.microsoft.OneDrive.FinderSync",
      "com.insynchq.Insync.Insync-Finder-Integration",
      "com.box.desktop.findersyncext"
    )
  ]
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1543"
name = "Create or Modify System Process"
reference = "https://attack.mitre.org/techniques/T1543/"


[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"