Finder Sync Plugin Registered and Enabled | Elastic Security Solution [8.8]

› › ›

« File made Immutable by Chattr Full User-Mode Dumps Enabled System-Wide »

Finder Sync Plugin Registered and Enablededit

Finder Sync plugins enable users to extend Finder’s functionality by modifying the user interface. Adversaries may abuse this feature by adding a rogue Finder Plugin to repeatedly execute malicious payloads for persistence.

Rule type: eql

Rule indices:

auditbeat-*
logs-endpoint.events.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://github.com/specterops/presentations/raw/master/Leo%20Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf

Tags:

Elastic
Host
macOS
Threat Detection
Persistence

Version: 100 (version history)

Added (Elastic Stack release): 7.12.0

Last modified (Elastic Stack release): 8.5.0

Rule authors: Elastic

Rule license: Elastic License v2

Potential false positivesedit

Trusted Finder Sync Plugins

Rule queryedit

process where event.type in ("start", "process_started") and
process.name : "pluginkit" and process.args : "-e" and process.args
: "use" and process.args : "-i" and not process.args : (
"com.google.GoogleDrive.FinderSyncAPIExtension",
"com.google.drivefs.findersync", "com.boxcryptor.osx.Rednif",
"com.adobe.accmac.ACCFinderSync",
"com.microsoft.OneDrive.FinderSync", "com.insynchq.Insync.Insync-
Finder-Integration", "com.box.desktop.findersyncext" ) and not
process.parent.executable : ( "/Library/Application Support/IDrive
forMac/IDriveHelperTools/FinderPluginApp.app/Contents/MacOS/FinderPlug
inApp" )

Threat mappingedit

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
Technique:
- Name: Create or Modify System Process
- ID: T1543
- Reference URL: https://attack.mitre.org/techniques/T1543/

Rule version historyedit

Version 100 (8.5.0 release)

Updated query, changed from:

sequence by host.id, user.id with maxspan = 5s [process where
event.type in ("start", "process_started") and process.name :
"pluginkit" and process.args : "-a"] [process where event.type in
("start", "process_started") and process.name : "pluginkit" and
process.args : "-e" and process.args : "use" and process.args : "-i"
and not process.args : (
"com.google.GoogleDrive.FinderSyncAPIExtension",
"com.google.drivefs.findersync", "com.boxcryptor.osx.Rednif",
"com.adobe.accmac.ACCFinderSync",
"com.microsoft.OneDrive.FinderSync",
"com.insynchq.Insync.Insync-Finder-Integration",
"com.box.desktop.findersyncext" ) ]

Version 3 (8.4.0 release)

Formatting only

Version 2 (7.15.0 release)

Formatting only

« File made Immutable by Chattr Full User-Mode Dumps Enabled System-Wide »