IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Screensaver Plist File Modified by Unexpected Process
editScreensaver Plist File Modified by Unexpected Process
editIdentifies when a screensaver plist file is modified by an unexpected process. An adversary can maintain persistence on a macOS endpoint by creating a malicious screensaver (.saver) file and configuring the screensaver plist file to execute code each time the screensaver is activated.
Rule type: eql
Rule indices:
- auditbeat-*
- logs-endpoint.events.*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Endpoint
- OS: macOS
- Use Case: Threat Detection
- Tactic: Persistence
- Data Source: Elastic Defend
Version: 104
Rule authors:
- Elastic
Rule license: Elastic License v2
Investigation guide
edit## Triage and analysis - Analyze the plist file modification event to identify whether the change was expected or not - Investigate the process that modified the plist file for malicious code or other suspicious behavior - Identify if any suspicious or known malicious screensaver (.saver) files were recently written to or modified on the host
Rule query
editfile where host.os.type == "macos" and event.type != "deletion" and file.name: "com.apple.screensaver.*.plist" and file.path : ( "/Users/*/Library/Preferences/ByHost/*", "/Library/Managed Preferences/*", "/System/Library/Preferences/*" ) and ( process.code_signature.trusted == false or process.code_signature.exists == false or /* common script interpreters and abused native macOS bins */ process.name : ( "curl", "mktemp", "tail", "funzip", "python*", "osascript", "perl" ) ) and /* Filter OS processes modifying screensaver plist files */ not process.executable : ( "/usr/sbin/cfprefsd", "/usr/libexec/xpcproxy", "/System/Library/CoreServices/ManagedClient.app/Contents/Resources/MCXCompositor", "/System/Library/CoreServices/ManagedClient.app/Contents/MacOS/ManagedClient" )
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
-
Technique:
- Name: Event Triggered Execution
- ID: T1546
- Reference URL: https://attack.mitre.org/techniques/T1546/