Detect Plist File Modification in Sumo Logic CSE
This detection identifies adversarial modification of macOS property list (plist) files to enable persistence, evade defenses, or alter application behavior. Attackers use tools such as plutil, PlistBuddy, and the defaults command to insert or modify keys like LSUIElement (hide app from UI), LSEnvironment (inject environment variables for dynamic linker hijacking), RunAtLoad, and ProgramArguments in LaunchAgent or LaunchDaemon plists. Known malware families including XCSSET and Cuckoo Stealer abuse plist modification to persist across reboots and conceal malicious processes. The detection monitors process execution of common plist editing utilities with arguments targeting sensitive keys and system persistence paths.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1647 Plist File Modification
- Canonical reference
- https://attack.mitre.org/techniques/T1647/
Sumo Detection Query
_sourceCategory=windows/sysmon EventCode=1
| json auto
| where process_name in ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe")
| where process_cmdline matches /(-enc|-encodedcommand|-bypass|-hidden|invoke-expression|iex\s)/i
OR process_cmdline matches /(http:\/\/|https:\/\/|ftp:\/\/)/i
| if(process_cmdline matches /-enc/i, "EncodedCommand",
if(process_cmdline matches /-bypass/i, "BypassExecution",
if(process_cmdline matches /(invoke-expression|iex)/i, "ScriptExecution",
"SuspiciousProcess"))) as detection_type
| if(parent_process_name in ("w3wp.exe","httpd.exe","nginx.exe"), 95,
if(process_cmdline matches /-enc/i, 85,
if(process_cmdline matches /-bypass/i, 75, 60))) as risk_score
| where risk_score >= 60
| count by host, user, process_name, process_cmdline, parent_process_name, detection_type, risk_score
| sort - risk_scoreSumo Logic detection for Plist File Modification (T1647). Identifies adversary plist file modification behaviors using Sumo Logic's search pipeline with field extraction and anomaly classification.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate macOS application installers using plutil or PlistBuddy to configure app preferences during setup
- System administrators using the defaults command to manage enterprise preferences and MDM profiles
- Developer tooling such as Xcode build scripts or CocoaPods that modify Info.plist during compilation
Other platforms for T1647
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Modify LSUIElement to hide macOS application via plutil
Expected signal: DeviceProcessEvents: plutil process with -insert LSUIElement argument targeting a .plist file path; InitiatingProcessFileName will be the shell (bash/zsh)
- Test 2Write malicious LaunchAgent plist for persistence via PlistBuddy
Expected signal: DeviceProcessEvents: PlistBuddy with multiple Add command invocations targeting ~/Library/LaunchAgents/; DeviceFileEvents: .plist file creation in LaunchAgents directory
- Test 3Inject LSEnvironment with DYLD_INSERT_LIBRARIES for dynamic linker hijacking setup
Expected signal: DeviceProcessEvents: PlistBuddy with 'Add :LSEnvironment dict' and 'Add :LSEnvironment:DYLD_INSERT_LIBRARIES' command arguments; high-fidelity process args containing both LSEnvironment and DYLD_INSERT_LIBRARIES strings
References (7)
- https://attack.mitre.org/techniques/T1647/
- https://objective-see.org/blog.html
- https://www.sentinelone.com/blog/cuckoo-stealer-macos-malware/
- https://www.welivesecurity.com/2012/03/02/the-flashback-files-a-closer-look-at-the-osx-flashback-malware-family/
- https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Introduction/Introduction.html
- https://www.kandji.io/blog/cuckoo-malware
- https://www.microsoft.com/en-us/security/blog/2022/01/27/evolved-phishing-device-registration-trick-adds-to-phishers-toolbox-for-victims-without-mfa/
Unlock Pro Content
Get the full detection package for T1647 including response playbook, investigation guide, and atomic red team tests.