Finder Sync Plugin Registered and Enablededit
Finder Sync plugins enable users to extend Finder’s functionality by modifying the user interface. Adversaries may abuse this feature by adding a rogue Finder Plugin to repeatedly execute malicious payloads for persistence.
Rule type: eql
Rule indices:
- logs-endpoint.events.*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Endpoint
- OS: macOS
- Use Case: Threat Detection
- Tactic: Persistence
- Data Source: Elastic Defend
Version: 105
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule queryedit
process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "pluginkit" and
process.args : "-e" and process.args : "use" and process.args : "-i" and
not process.args :
(
"com.google.GoogleDrive.FinderSyncAPIExtension",
"com.google.drivefs.findersync",
"com.boxcryptor.osx.Rednif",
"com.adobe.accmac.ACCFinderSync",
"com.microsoft.OneDrive.FinderSync",
"com.insynchq.Insync.Insync-Finder-Integration",
"com.box.desktop.findersyncext"
) and
not process.parent.executable : (
"/Library/Application Support/IDriveforMac/IDriveHelperTools/FinderPluginApp.app/Contents/MacOS/FinderPluginApp"
)
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
-
Technique:
- Name: Create or Modify System Process
- ID: T1543
- Reference URL: https://attack.mitre.org/techniques/T1543/