T1647 CrowdStrike LogScale · LogScale

Detect Plist File Modification in CrowdStrike LogScale

This detection identifies adversarial modification of macOS property list (plist) files to enable persistence, evade defenses, or alter application behavior. Attackers use tools such as plutil, PlistBuddy, and the defaults command to insert or modify keys like LSUIElement (hide app from UI), LSEnvironment (inject environment variables for dynamic linker hijacking), RunAtLoad, and ProgramArguments in LaunchAgent or LaunchDaemon plists. Known malware families including XCSSET and Cuckoo Stealer abuse plist modification to persist across reboots and conceal malicious processes. The detection monitors process execution of common plist editing utilities with arguments targeting sensitive keys and system persistence paths.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1647 Plist File Modification
Canonical reference
https://attack.mitre.org/techniques/T1647/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName = "ProcessRollup2"
| ImageFileName = /(?i)(powershell|cmd|wscript|cscript|mshta|rundll32)\.exe$/
| CommandLine = /(?i)(-enc(odedcommand)?|-bypass|-noprofile|invoke-expression|iex\s|http:\/\/)/
| case {
    CommandLine = /(?i)-enc(odedcommand)?/ | DetectionType := "EncodedCommand" ;
    CommandLine = /(?i)-bypass/ | DetectionType := "BypassExecution" ;
    CommandLine = /(?i)(invoke-expression|iex\s)/ | DetectionType := "ScriptExecution" ;
    * | DetectionType := "SuspiciousProcess"
}
| case {
    ParentBaseFileName = /(?i)(w3wp|httpd|nginx|php-cgi)\.exe/ | RiskScore := "Critical" ;
    CommandLine = /(?i)-enc/ | RiskScore := "High" ;
    * | RiskScore := "Medium"
}
| table([ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, DetectionType, RiskScore, ProcessId, ParentProcessId])
| sort(RiskScore, order=desc, limit=100)
high severity medium confidence

CrowdStrike LogScale CQL detection for Plist File Modification (T1647). Queries Falcon telemetry for plist file modification behavioral indicators aligned with MITRE ATT&CK T1647.

Data Sources

CrowdStrike Falcon Endpoint Protection

Required Tables

ProcessRollup2SyntheticProcessRollup2

False Positives & Tuning

  • Legitimate macOS application installers using plutil or PlistBuddy to configure app preferences during setup
  • System administrators using the defaults command to manage enterprise preferences and MDM profiles
  • Developer tooling such as Xcode build scripts or CocoaPods that modify Info.plist during compilation
Download portable Sigma rule (.yml)

Other platforms for T1647

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Modify LSUIElement to hide macOS application via plutil

    Expected signal: DeviceProcessEvents: plutil process with -insert LSUIElement argument targeting a .plist file path; InitiatingProcessFileName will be the shell (bash/zsh)

  2. Test 2Write malicious LaunchAgent plist for persistence via PlistBuddy

    Expected signal: DeviceProcessEvents: PlistBuddy with multiple Add command invocations targeting ~/Library/LaunchAgents/; DeviceFileEvents: .plist file creation in LaunchAgents directory

  3. Test 3Inject LSEnvironment with DYLD_INSERT_LIBRARIES for dynamic linker hijacking setup

    Expected signal: DeviceProcessEvents: PlistBuddy with 'Add :LSEnvironment dict' and 'Add :LSEnvironment:DYLD_INSERT_LIBRARIES' command arguments; high-fidelity process args containing both LSEnvironment and DYLD_INSERT_LIBRARIES strings

Last updated: 2026-03-20 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1647 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1543.001Launch AgentT1543.004Launch DaemonT1574.006Dynamic Linker HijackingT1564.003Hidden WindowT1547.007Re-opened ApplicationsT1564.012File/Path ExclusionsT1055.011Extra Window Memory InjectionT1222.002Linux and Mac File and Directory Permissions Modification

Same Tactic: Defense Evasion

Popular Detections