macOS Finder Sync Plugin Persistence via Pluginkit

Finder Sync plugins extend the functionality of macOS Finder, allowing users to modify the user interface. Adversaries may abuse this feature by adding a rogue Finder Plugin to repeatedly execute malicious payloads for persistence. The pluginkit command is used to manage these plugins. This rule identifies suspicious plugin registrations by monitoring the pluginkit process and filtering out known safe applications, flagging unusual activity to help analysts spot potential threats. Legitimate applications like Google Drive, Boxcryptor, Adobe Creative Cloud, Microsoft OneDrive, Insync, and Box can utilize these plugins, so identifying malicious use is critical.

Attack Chain

1. The user installs a malicious application or unknowingly executes a script that contains instructions to install a malicious Finder Sync plugin.
2. The malicious application or script executes the pluginkit command with the -e, use, and -i flags to register a new Finder Sync plugin.
3. pluginkit registers the malicious plugin, adding it to the system’s list of available Finder extensions.
4. The Finder process detects the newly registered plugin and loads it.
5. The malicious plugin executes its payload, which could involve running arbitrary code or modifying the Finder interface.
6. The plugin’s code is designed to maintain persistence, potentially re-executing after system restarts or user logins.
7. The malicious plugin establishes a connection to a command-and-control server for further instructions.

Impact

Successful exploitation leads to persistent execution of malicious code on macOS systems. Attackers can maintain unauthorized access, steal sensitive information, or perform other malicious activities. The rule helps detect and prevent such persistence mechanisms, reducing the risk of long-term compromise. While the number of victims is unknown, targeted sectors could include any environment where macOS is prevalent, such as creative industries or software development.

Recommendation

• Enable Elastic Defend and ensure it’s configured to monitor process execution events to activate the detections (setup guide in rule description).
• Deploy the provided Sigma rules to detect suspicious pluginkit executions and tune for your environment.
• Investigate any alerts generated by the Sigma rules, focusing on the parent processes and plugin identifiers involved.
• Block known malicious parent processes (python, node, osascript, bash, sh, zsh) when spawning pluginkit with -e -i use arguments based on identified incidents.