IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Screensaver Plist File Modified by Unexpected Process
editScreensaver Plist File Modified by Unexpected Process
editIdentifies when a screensaver plist file is modified by an unexpected process. An adversary can maintain persistence on a macOS endpoint by creating a malicious screensaver (.saver) file and configuring the screensaver plist file to execute code each time the screensaver is activated.
Rule type: eql
Rule indices:
- auditbeat-*
- logs-endpoint.events.*
Severity: medium
Risk score: 47
Runs every: 5 minutes
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Host
- macOS
- Threat Detection
- Persistence
Version: 1
Added (Elastic Stack release): 7.16.0
Rule authors: Elastic
Rule license: Elastic License v2
Investigation guide
edit## Triage and analysis - Analyze the plist file modification event to identify whether the change was expected or not - Investigate the process that modified the plist file for malicious code or other suspicious behavior - Identify if any suspicious or known malicious screensaver (.saver) files were recently written to or modified on the host
Rule query
editfile where event.type != "deletion" and file.name: "com.apple.screensaver.*.plist" and file.path : ( "/Users/*/Library/Preferences/ByHost/*", "/Library/Managed Preferences/*", "/System/Library/Preferences/*" ) and /* Filter OS processes modifying screensaver plist files */ not process.executable : ( "/usr/sbin/cfprefsd", "/usr/libexec/xpcproxy", "/System/Library/CoreServices/ManagedClie nt.app/Contents/Resources/MCXCompositor", "/System/Library/CoreSer vices/ManagedClient.app/Contents/MacOS/ManagedClient" )
Threat mapping
editFramework: MITRE ATT&CKTM
-
Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
-
Technique:
- Name: Event Triggered Execution
- ID: T1546
- Reference URL: https://attack.mitre.org/techniques/T1546/