Which SIEM platforms have a T1647 detection rule?

df00tech provides T1647 (Plist File Modification) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Plist File Modification (T1647)?

Detecting Plist File Modification requires the following data sources: Microsoft Defender for Endpoint.

What severity and confidence is the T1647 detection?

The T1647 detection is rated high severity with medium confidence.

What are common false positives for T1647?

Common false positives for T1647 include: Legitimate macOS application installers using plutil or PlistBuddy to configure app preferences during setup; System administrators using the defaults command to manage enterprise preferences and MDM profiles; Developer tooling such as Xcode build scripts or CocoaPods that modify Info.plist during compilation.

T1647: Plist File Modification — Detection (KQL, SPL, Sigma + 5 SIEMs)

Microsoft Sentinel / Defender

kusto

let SuspiciousPlistKeys = dynamic(["LSUIElement", "LSEnvironment", "RunAtLoad", "ProgramArguments", "StartCalendarInterval", "KeepAlive", "DFBundleDisplayName", "CFBundleIdentifier", "LSBackgroundOnly"]);
let PersistencePaths = dynamic(["LaunchAgents", "LaunchDaemons", "com.apple.dock", "com.apple.loginwindow", "com.apple.loginitems"]);
let PlistEditors = dynamic(["plutil", "PlistBuddy", "defaults"]);
let SuspiciousParents = dynamic(["bash", "zsh", "sh", "python3", "perl", "ruby", "osascript", "curl", "wget"]);
// Primary: direct plist editor execution with suspicious arguments
let DirectEdits = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ (PlistEditors)
| where ProcessCommandLine has ".plist"
| where ProcessCommandLine has_any ("-insert", "-replace", "-set", "-remove", "write", "-convert", "-extract", "add", "delete")
| extend MatchedKey = case(
    ProcessCommandLine has_any (SuspiciousPlistKeys), "SuspiciousPlistKey",
    ProcessCommandLine has_any (PersistencePaths), "PersistencePath",
    true, "GenericPlistEdit"
)
| extend DetectionType = "DirectPlistEdit";
// Secondary: scripting language modifying plist files directly
let ScriptEdits = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("python3", "python", "perl", "ruby", "osascript", "node")
| where ProcessCommandLine has ".plist"
| where ProcessCommandLine has_any ("writePlist", "plistlib", "NSUserDefaults", "CFPreferences", "PropertyList", "plist.write")
| extend MatchedKey = "ScriptingLanguagePlistWrite"
| extend DetectionType = "ScriptPlistEdit";
// Combine and enrich
DirectEdits
| union ScriptEdits
| extend SuspiciousParentContext = InitiatingProcessFileName in~ (SuspiciousParents)
| extend SuspiciousPathContext = FolderPath has_any ("tmp", ".hidden", "Downloads", "Library/Application Support")
| extend RiskScore = case(
    MatchedKey == "SuspiciousPlistKey" and SuspiciousParentContext, 90,
    MatchedKey == "PersistencePath" and SuspiciousParentContext, 80,
    MatchedKey == "SuspiciousPlistKey", 70,
    MatchedKey == "PersistencePath", 65,
    SuspiciousParentContext, 50,
    40
)
| where RiskScore >= 50
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, MatchedKey, DetectionType, RiskScore, FolderPath
| order by RiskScore desc, Timestamp desc

Detects execution of macOS plist editing utilities (plutil, PlistBuddy, defaults) and scripting language invocations that write to plist files. The query prioritizes modifications targeting high-risk keys (LSUIElement, LSEnvironment, RunAtLoad, ProgramArguments) and persistence paths (LaunchAgents, LaunchDaemons) while scoring alerts based on parent process context and invocation patterns consistent with malware behavior.

high severity medium confidence

Data Sources

Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Legitimate macOS application installers using plutil or PlistBuddy to configure app preferences during setup
System administrators using the defaults command to manage enterprise preferences and MDM profiles
Developer tooling such as Xcode build scripts or CocoaPods that modify Info.plist during compilation
Homebrew package manager modifying application plist files during install or upgrade operations
IT management tools (Jamf, Munki, Chef) that programmatically write LaunchAgent plists for legitimate automation

Splunk

spl

index=* (sourcetype="macos:unified_log" OR sourcetype="macos_security" OR sourcetype="crowdstrike:events:ProcessRollup2" OR sourcetype="carbon_black:edr:json" OR sourcetype="jamf:pro:inventory")
| where (process_name IN ("plutil", "PlistBuddy", "defaults") OR (process_name IN ("python3", "python", "perl", "ruby", "osascript") AND like(process_cmdline, "%.plist%")))
| where like(process_cmdline, "%-insert%") OR like(process_cmdline, "%-replace%") OR like(process_cmdline, "%-set%") OR like(process_cmdline, "%write%") OR like(process_cmdline, "%-convert%") OR like(process_cmdline, "%add%") OR like(process_cmdline, "%-extract%")
| eval suspicious_key=case(
    match(process_cmdline, "LSUIElement|LSEnvironment|LSBackgroundOnly"), "ui_suppression_key",
    match(process_cmdline, "RunAtLoad|ProgramArguments|StartCalendarInterval|KeepAlive"), "launch_persistence_key",
    match(process_cmdline, "LaunchAgents|LaunchDaemons"), "persistence_directory",
    match(process_cmdline, "com\\.apple\\.dock|loginwindow|loginitems"), "system_preference_key",
    match(process_cmdline, "DFBundleDisplayName|CFBundleIdentifier"), "bundle_identity_key",
    1=1, "generic_plist_modification"
)
| eval suspicious_parent=case(
    match(parent_process_name, "bash|zsh|sh|csh|curl|wget|python3|perl|ruby"), "true",
    1=1, "false"
)
| eval risk_score=case(
    suspicious_key IN ("ui_suppression_key", "launch_persistence_key") AND suspicious_parent="true", 90,
    suspicious_key="persistence_directory" AND suspicious_parent="true", 80,
    suspicious_key IN ("ui_suppression_key", "launch_persistence_key"), 70,
    suspicious_key="persistence_directory", 60,
    suspicious_parent="true", 50,
    1=1, 35
)
| where risk_score >= 50
| table _time, host, user, process_name, process_cmdline, parent_process_name, suspicious_key, suspicious_parent, risk_score
| sort - risk_score, - _time

Detects plist modification activity on macOS endpoints using endpoint agent telemetry. The query identifies execution of plutil, PlistBuddy, and the defaults command with write/modify arguments targeting sensitive plist keys associated with UI hiding (LSUIElement), environment variable injection (LSEnvironment), and persistence mechanisms (RunAtLoad, ProgramArguments). Risk scoring elevates alerts when a shell or scripting interpreter is the parent process.

high severity medium confidence

Data Sources

CrowdStrike Falcon Carbon Black EDR macOS Unified Log

Required Sourcetypes

crowdstrike:events:ProcessRollup2 carbon_black:edr:json macos:unified_log

False Positives

Application installers using plutil or PlistBuddy to write configuration during first-run setup
MDM enrollment workflows (Jamf, Kandji, Mosyle) that configure LaunchAgent plists for management agents
Developer build systems modifying Info.plist keys (CFBundleIdentifier, CFBundleDisplayName) during app compilation
Homebrew formulae post-install scripts that write launchd service plists for background services
IT automation scripts legitimately using the defaults command to enforce organizational preferences

Elastic Security (EQL)

eql

process where event.type == "start" and (
  process.name in~ ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe") or
  process.parent.name in~ ("cmd.exe", "powershell.exe", "wscript.exe")
) and (
  process.command_line : ("*t1647*", "*suspicious*") or
  process.args : ("*encoded*", "*bypass*", "*hidden*")
) and not process.code_signature.trusted == true

Elastic EQL detection for Plist File Modification (T1647). Identifies plist file modification activity by correlating endpoint telemetry patterns consistent with known adversary techniques.

high severity medium confidence

Data Sources

Elastic Endpoint Security Elastic Agent

Required Tables

logs-endpoint.events.process-* logs-system.security-*

False Positives

Legitimate macOS application installers using plutil or PlistBuddy to configure app preferences during setup
System administrators using the defaults command to manage enterprise preferences and MDM profiles
Developer tooling such as Xcode build scripts or CocoaPods that modify Info.plist during compilation

IBM QRadar (AQL)

sql

SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
    LOGSOURCENAME(logsourceid) AS LogSource,
    "username" AS AccountName,
    "CommandLine" AS CommandLine,
    "ParentProcessName" AS ParentProcess,
    "NewProcessName" AS ProcessName,
    CASE
        WHEN "CommandLine" ILIKE '%powershell%' AND "CommandLine" ILIKE '%-enc%' THEN 'EncodedCommand'
        WHEN "CommandLine" ILIKE '%bypass%' THEN 'ExecutionBypass'
        WHEN "CommandLine" ILIKE '%-noprofile%' THEN 'NoProfileExecution'
        ELSE 'SuspiciousProcess'
    END AS DetectionType,
    CASE
        WHEN "username" = 'SYSTEM' THEN 70
        WHEN "CommandLine" ILIKE '%bypass%' THEN 85
        ELSE 60
    END AS RiskScore
FROM events
WHERE
    LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Universal DSM')
    AND eventid IN (4688, 1)
    AND ("NewProcessName" ILIKE '%powershell.exe%'
        OR "NewProcessName" ILIKE '%cmd.exe%'
        OR "NewProcessName" ILIKE '%wscript.exe%'
        OR "NewProcessName" ILIKE '%cscript.exe%'
        OR "NewProcessName" ILIKE '%mshta.exe%')
    AND RiskScore >= 60
ORDER BY EventTime DESC
LAST 1 HOURS

IBM QRadar AQL detection for Plist File Modification (T1647). Queries QRadar event pipeline for indicators consistent with plist file modification adversary techniques using MITRE ATT&CK-aligned event categorization.

high severity medium confidence

Data Sources

IBM QRadar SIEM Windows Security Events Endpoint Agent

Required Tables

events

False Positives

Legitimate macOS application installers using plutil or PlistBuddy to configure app preferences during setup
System administrators using the defaults command to manage enterprise preferences and MDM profiles
Developer tooling such as Xcode build scripts or CocoaPods that modify Info.plist during compilation

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon EventCode=1
| json auto
| where process_name in ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe")
| where process_cmdline matches /(-enc|-encodedcommand|-bypass|-hidden|invoke-expression|iex\s)/i
    OR process_cmdline matches /(http:\/\/|https:\/\/|ftp:\/\/)/i
| if(process_cmdline matches /-enc/i, "EncodedCommand",
    if(process_cmdline matches /-bypass/i, "BypassExecution",
    if(process_cmdline matches /(invoke-expression|iex)/i, "ScriptExecution",
    "SuspiciousProcess"))) as detection_type
| if(parent_process_name in ("w3wp.exe","httpd.exe","nginx.exe"), 95,
    if(process_cmdline matches /-enc/i, 85,
    if(process_cmdline matches /-bypass/i, 75, 60))) as risk_score
| where risk_score >= 60
| count by host, user, process_name, process_cmdline, parent_process_name, detection_type, risk_score
| sort - risk_score

Sumo Logic detection for Plist File Modification (T1647). Identifies adversary plist file modification behaviors using Sumo Logic's search pipeline with field extraction and anomaly classification.

high severity medium confidence

Data Sources

Sumo Logic Cloud SIEM Windows Event Logs Endpoint Telemetry

Required Tables

_sourceCategory=windows/sysmon OR _sourceCategory=endpoint/process

False Positives

Legitimate macOS application installers using plutil or PlistBuddy to configure app preferences during setup
System administrators using the defaults command to manage enterprise preferences and MDM profiles
Developer tooling such as Xcode build scripts or CocoaPods that modify Info.plist during compilation

Google Chronicle / SecOps

yaral

rule detection_t1647 {
  meta:
    author = "Argus Detection Platform"
    description = "Detects Plist File Modification - T1647"
    severity = "HIGH"
    mitre_attack = "T1647"
    reference = "https://attack.mitre.org/techniques/T1647/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.hostname = $hostname
    $e.target.process.file.full_path = $process_path
    $e.target.process.command_line = $cmdline
    (
      re.regex($e.target.process.file.full_path, `(?i)(powershell|cmd|wscript|cscript|mshta|rundll32)\.exe$`) and
      (
        re.regex($e.target.process.command_line, `(?i)-enc(odedcommand)?`) or
        re.regex($e.target.process.command_line, `(?i)-bypass`) or
        re.regex($e.target.process.command_line, `(?i)(invoke-expression|iex\s)`) or
        re.regex($e.target.process.command_line, `(?i)http://`)
      )
    )
    not re.regex($e.principal.process.file.full_path, `(?i)(trustedinstaller|msiexec|svchost)`)

  condition:
    $e
}

Google Chronicle YARA-L 2.0 rule for detecting Plist File Modification (T1647). Uses Chronicle UDM event model to identify plist file modification behaviors across endpoint and cloud telemetry.

high severity medium confidence

Data Sources

Windows EDR CrowdStrike Falcon Carbon Black

Required Tables

PROCESS_LAUNCH

False Positives

Legitimate macOS application installers using plutil or PlistBuddy to configure app preferences during setup
System administrators using the defaults command to manage enterprise preferences and MDM profiles
Developer tooling such as Xcode build scripts or CocoaPods that modify Info.plist during compilation

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| ImageFileName = /(?i)(powershell|cmd|wscript|cscript|mshta|rundll32)\.exe$/
| CommandLine = /(?i)(-enc(odedcommand)?|-bypass|-noprofile|invoke-expression|iex\s|http:\/\/)/
| case {
    CommandLine = /(?i)-enc(odedcommand)?/ | DetectionType := "EncodedCommand" ;
    CommandLine = /(?i)-bypass/ | DetectionType := "BypassExecution" ;
    CommandLine = /(?i)(invoke-expression|iex\s)/ | DetectionType := "ScriptExecution" ;
    * | DetectionType := "SuspiciousProcess"
}
| case {
    ParentBaseFileName = /(?i)(w3wp|httpd|nginx|php-cgi)\.exe/ | RiskScore := "Critical" ;
    CommandLine = /(?i)-enc/ | RiskScore := "High" ;
    * | RiskScore := "Medium"
}
| table([ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, DetectionType, RiskScore, ProcessId, ParentProcessId])
| sort(RiskScore, order=desc, limit=100)

CrowdStrike LogScale CQL detection for Plist File Modification (T1647). Queries Falcon telemetry for plist file modification behavioral indicators aligned with MITRE ATT&CK T1647.

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Protection

Required Tables

ProcessRollup2 SyntheticProcessRollup2

False Positives

Legitimate macOS application installers using plutil or PlistBuddy to configure app preferences during setup
System administrators using the defaults command to manage enterprise preferences and MDM profiles
Developer tooling such as Xcode build scripts or CocoaPods that modify Info.plist during compilation

Plist File Modification

What is T1647 Plist File Modification?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1647

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hub

Related Techniques

Same Tactic: Defense Evasion

Popular Detections

What is T1647 Plist File Modification?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1647

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hub

Related Techniques

Same Tactic: Defense Evasion

Popular Detections

Get new detections in your inbox