IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Screensaver Plist File Modified by Unexpected Process
editScreensaver Plist File Modified by Unexpected Process
editIdentifies when a screensaver plist file is modified by an unexpected process. An adversary can maintain persistence on a macOS endpoint by creating a malicious screensaver (.saver) file and configuring the screensaver plist file to execute code each time the screensaver is activated.
Rule type: eql
Rule indices:
- auditbeat-*
- logs-endpoint.events.*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Host
- macOS
- Threat Detection
- Persistence
Version: 2
Rule authors:
- Elastic
Rule license: Elastic License v2
Investigation guide
edit## Triage and analysis - Analyze the plist file modification event to identify whether the change was expected or not - Investigate the process that modified the plist file for malicious code or other suspicious behavior - Identify if any suspicious or known malicious screensaver (.saver) files were recently written to or modified on the host ## Config If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
Rule query
editfile where event.type != "deletion" and file.name: "com.apple.screensaver.*.plist" and file.path : ( "/Users/*/Library/Preferences/ByHost/*", "/Library/Managed Preferences/*", "/System/Library/Preferences/*" ) and /* Filter OS processes modifying screensaver plist files */ not process.executable : ( "/usr/sbin/cfprefsd", "/usr/libexec/xpcproxy", "/System/Library/CoreServices/ManagedClient.app/Contents/Resources/MCXCompositor", "/System/Library/CoreServices/ManagedClient.app/Contents/MacOS/ManagedClient" )
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
-
Technique:
- Name: Event Triggered Execution
- ID: T1546
- Reference URL: https://attack.mitre.org/techniques/T1546/