T1647 Plist File Modification Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let SuspiciousPlistKeys = dynamic(["LSUIElement", "LSEnvironment", "RunAtLoad", "ProgramArguments", "StartCalendarInterval", "KeepAlive", "DFBundleDisplayName", "CFBundleIdentifier", "LSBackgroundOnly"]);
let PersistencePaths = dynamic(["LaunchAgents", "LaunchDaemons", "com.apple.dock", "com.apple.loginwindow", "com.apple.loginitems"]);
let PlistEditors = dynamic(["plutil", "PlistBuddy", "defaults"]);
let SuspiciousParents = dynamic(["bash", "zsh", "sh", "python3", "perl", "ruby", "osascript", "curl", "wget"]);
// Primary: direct plist editor execution with suspicious arguments
let DirectEdits = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ (PlistEditors)
| where ProcessCommandLine has ".plist"
| where ProcessCommandLine has_any ("-insert", "-replace", "-set", "-remove", "write", "-convert", "-extract", "add", "delete")
| extend MatchedKey = case(
    ProcessCommandLine has_any (SuspiciousPlistKeys), "SuspiciousPlistKey",
    ProcessCommandLine has_any (PersistencePaths), "PersistencePath",
    true, "GenericPlistEdit"
)
| extend DetectionType = "DirectPlistEdit";
// Secondary: scripting language modifying plist files directly
let ScriptEdits = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("python3", "python", "perl", "ruby", "osascript", "node")
| where ProcessCommandLine has ".plist"
| where ProcessCommandLine has_any ("writePlist", "plistlib", "NSUserDefaults", "CFPreferences", "PropertyList", "plist.write")
| extend MatchedKey = "ScriptingLanguagePlistWrite"
| extend DetectionType = "ScriptPlistEdit";
// Combine and enrich
DirectEdits
| union ScriptEdits
| extend SuspiciousParentContext = InitiatingProcessFileName in~ (SuspiciousParents)
| extend SuspiciousPathContext = FolderPath has_any ("tmp", ".hidden", "Downloads", "Library/Application Support")
| extend RiskScore = case(
    MatchedKey == "SuspiciousPlistKey" and SuspiciousParentContext, 90,
    MatchedKey == "PersistencePath" and SuspiciousParentContext, 80,
    MatchedKey == "SuspiciousPlistKey", 70,
    MatchedKey == "PersistencePath", 65,
    SuspiciousParentContext, 50,
    40
)
| where RiskScore >= 50
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, MatchedKey, DetectionType, RiskScore, FolderPath
| order by RiskScore desc, Timestamp desc

high severity medium confidence

Data Sources

Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Legitimate macOS application installers using plutil or PlistBuddy to configure app preferences during setup
System administrators using the defaults command to manage enterprise preferences and MDM profiles
Developer tooling such as Xcode build scripts or CocoaPods that modify Info.plist during compilation
Homebrew package manager modifying application plist files during install or upgrade operations
IT management tools (Jamf, Munki, Chef) that programmatically write LaunchAgent plists for legitimate automation

Splunk

spl

index=* (sourcetype="macos:unified_log" OR sourcetype="macos_security" OR sourcetype="crowdstrike:events:ProcessRollup2" OR sourcetype="carbon_black:edr:json" OR sourcetype="jamf:pro:inventory")
| where (process_name IN ("plutil", "PlistBuddy", "defaults") OR (process_name IN ("python3", "python", "perl", "ruby", "osascript") AND like(process_cmdline, "%.plist%")))
| where like(process_cmdline, "%-insert%") OR like(process_cmdline, "%-replace%") OR like(process_cmdline, "%-set%") OR like(process_cmdline, "%write%") OR like(process_cmdline, "%-convert%") OR like(process_cmdline, "%add%") OR like(process_cmdline, "%-extract%")
| eval suspicious_key=case(
    match(process_cmdline, "LSUIElement|LSEnvironment|LSBackgroundOnly"), "ui_suppression_key",
    match(process_cmdline, "RunAtLoad|ProgramArguments|StartCalendarInterval|KeepAlive"), "launch_persistence_key",
    match(process_cmdline, "LaunchAgents|LaunchDaemons"), "persistence_directory",
    match(process_cmdline, "com\\.apple\\.dock|loginwindow|loginitems"), "system_preference_key",
    match(process_cmdline, "DFBundleDisplayName|CFBundleIdentifier"), "bundle_identity_key",
    1=1, "generic_plist_modification"
)
| eval suspicious_parent=case(
    match(parent_process_name, "bash|zsh|sh|csh|curl|wget|python3|perl|ruby"), "true",
    1=1, "false"
)
| eval risk_score=case(
    suspicious_key IN ("ui_suppression_key", "launch_persistence_key") AND suspicious_parent="true", 90,
    suspicious_key="persistence_directory" AND suspicious_parent="true", 80,
    suspicious_key IN ("ui_suppression_key", "launch_persistence_key"), 70,
    suspicious_key="persistence_directory", 60,
    suspicious_parent="true", 50,
    1=1, 35
)
| where risk_score >= 50
| table _time, host, user, process_name, process_cmdline, parent_process_name, suspicious_key, suspicious_parent, risk_score
| sort - risk_score, - _time

high severity medium confidence

Data Sources

CrowdStrike Falcon Carbon Black EDR macOS Unified Log

Required Sourcetypes

crowdstrike:events:ProcessRollup2 carbon_black:edr:json macos:unified_log

False Positives

Application installers using plutil or PlistBuddy to write configuration during first-run setup
MDM enrollment workflows (Jamf, Kandji, Mosyle) that configure LaunchAgent plists for management agents
Developer build systems modifying Info.plist keys (CFBundleIdentifier, CFBundleDisplayName) during app compilation
Homebrew formulae post-install scripts that write launchd service plists for background services
IT automation scripts legitimately using the defaults command to enforce organizational preferences

Elastic Security (EQL)

eql

process where event.type == "start" and (
  process.name in~ ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe") or
  process.parent.name in~ ("cmd.exe", "powershell.exe", "wscript.exe")
) and (
  process.command_line : ("*t1647*", "*suspicious*") or
  process.args : ("*encoded*", "*bypass*", "*hidden*")
) and not process.code_signature.trusted == true

high severity medium confidence

Data Sources

Elastic Endpoint Security Elastic Agent

Required Tables

logs-endpoint.events.process-* logs-system.security-*

False Positives

Legitimate macOS application installers using plutil or PlistBuddy to configure app preferences during setup
System administrators using the defaults command to manage enterprise preferences and MDM profiles
Developer tooling such as Xcode build scripts or CocoaPods that modify Info.plist during compilation

IBM QRadar (AQL)

sql

SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
    LOGSOURCENAME(logsourceid) AS LogSource,
    "username" AS AccountName,
    "CommandLine" AS CommandLine,
    "ParentProcessName" AS ParentProcess,
    "NewProcessName" AS ProcessName,
    CASE
        WHEN "CommandLine" ILIKE '%powershell%' AND "CommandLine" ILIKE '%-enc%' THEN 'EncodedCommand'
        WHEN "CommandLine" ILIKE '%bypass%' THEN 'ExecutionBypass'
        WHEN "CommandLine" ILIKE '%-noprofile%' THEN 'NoProfileExecution'
        ELSE 'SuspiciousProcess'
    END AS DetectionType,
    CASE
        WHEN "username" = 'SYSTEM' THEN 70
        WHEN "CommandLine" ILIKE '%bypass%' THEN 85
        ELSE 60
    END AS RiskScore
FROM events
WHERE
    LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Universal DSM')
    AND eventid IN (4688, 1)
    AND ("NewProcessName" ILIKE '%powershell.exe%'
        OR "NewProcessName" ILIKE '%cmd.exe%'
        OR "NewProcessName" ILIKE '%wscript.exe%'
        OR "NewProcessName" ILIKE '%cscript.exe%'
        OR "NewProcessName" ILIKE '%mshta.exe%')
    AND RiskScore >= 60
ORDER BY EventTime DESC
LAST 1 HOURS

high severity medium confidence

Data Sources

IBM QRadar SIEM Windows Security Events Endpoint Agent

Required Tables

events

False Positives

Legitimate macOS application installers using plutil or PlistBuddy to configure app preferences during setup
System administrators using the defaults command to manage enterprise preferences and MDM profiles
Developer tooling such as Xcode build scripts or CocoaPods that modify Info.plist during compilation

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon EventCode=1
| json auto
| where process_name in ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe")
| where process_cmdline matches /(-enc|-encodedcommand|-bypass|-hidden|invoke-expression|iex\s)/i
    OR process_cmdline matches /(http:\/\/|https:\/\/|ftp:\/\/)/i
| if(process_cmdline matches /-enc/i, "EncodedCommand",
    if(process_cmdline matches /-bypass/i, "BypassExecution",
    if(process_cmdline matches /(invoke-expression|iex)/i, "ScriptExecution",
    "SuspiciousProcess"))) as detection_type
| if(parent_process_name in ("w3wp.exe","httpd.exe","nginx.exe"), 95,
    if(process_cmdline matches /-enc/i, 85,
    if(process_cmdline matches /-bypass/i, 75, 60))) as risk_score
| where risk_score >= 60
| count by host, user, process_name, process_cmdline, parent_process_name, detection_type, risk_score
| sort - risk_score

high severity medium confidence

Data Sources

Sumo Logic Cloud SIEM Windows Event Logs Endpoint Telemetry

Required Tables

_sourceCategory=windows/sysmon OR _sourceCategory=endpoint/process

False Positives

Legitimate macOS application installers using plutil or PlistBuddy to configure app preferences during setup
System administrators using the defaults command to manage enterprise preferences and MDM profiles
Developer tooling such as Xcode build scripts or CocoaPods that modify Info.plist during compilation

Google Chronicle / SecOps

yaral

rule detection_t1647 {
  meta:
    author = "Argus Detection Platform"
    description = "Detects Plist File Modification - T1647"
    severity = "HIGH"
    mitre_attack = "T1647"
    reference = "https://attack.mitre.org/techniques/T1647/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.hostname = $hostname
    $e.target.process.file.full_path = $process_path
    $e.target.process.command_line = $cmdline
    (
      re.regex($e.target.process.file.full_path, `(?i)(powershell|cmd|wscript|cscript|mshta|rundll32)\.exe$`) and
      (
        re.regex($e.target.process.command_line, `(?i)-enc(odedcommand)?`) or
        re.regex($e.target.process.command_line, `(?i)-bypass`) or
        re.regex($e.target.process.command_line, `(?i)(invoke-expression|iex\s)`) or
        re.regex($e.target.process.command_line, `(?i)http://`)
      )
    )
    not re.regex($e.principal.process.file.full_path, `(?i)(trustedinstaller|msiexec|svchost)`)

  condition:
    $e
}

high severity medium confidence

Data Sources

Windows EDR CrowdStrike Falcon Carbon Black

Required Tables

PROCESS_LAUNCH

False Positives

Legitimate macOS application installers using plutil or PlistBuddy to configure app preferences during setup
System administrators using the defaults command to manage enterprise preferences and MDM profiles
Developer tooling such as Xcode build scripts or CocoaPods that modify Info.plist during compilation

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| ImageFileName = /(?i)(powershell|cmd|wscript|cscript|mshta|rundll32)\.exe$/
| CommandLine = /(?i)(-enc(odedcommand)?|-bypass|-noprofile|invoke-expression|iex\s|http:\/\/)/
| case {
    CommandLine = /(?i)-enc(odedcommand)?/ | DetectionType := "EncodedCommand" ;
    CommandLine = /(?i)-bypass/ | DetectionType := "BypassExecution" ;
    CommandLine = /(?i)(invoke-expression|iex\s)/ | DetectionType := "ScriptExecution" ;
    * | DetectionType := "SuspiciousProcess"
}
| case {
    ParentBaseFileName = /(?i)(w3wp|httpd|nginx|php-cgi)\.exe/ | RiskScore := "Critical" ;
    CommandLine = /(?i)-enc/ | RiskScore := "High" ;
    * | RiskScore := "Medium"
}
| table([ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, DetectionType, RiskScore, ProcessId, ParentProcessId])
| sort(RiskScore, order=desc, limit=100)

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Protection

Required Tables

ProcessRollup2 SyntheticProcessRollup2

False Positives

Legitimate macOS application installers using plutil or PlistBuddy to configure app preferences during setup
System administrators using the defaults command to manage enterprise preferences and MDM profiles
Developer tooling such as Xcode build scripts or CocoaPods that modify Info.plist during compilation

Plist File Modification

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Defense Evasion

Popular Detections