{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/adobe-creative-cloud/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["OneDrive","Google Drive","Boxcryptor","Adobe Creative Cloud","Insync","Box"],"_cs_severities":["medium"],"_cs_tags":["persistence","macos","pluginkit","finder sync plugin"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Google","Boxcryptor","Adobe"],"content_html":"\u003cp\u003eFinder Sync plugins extend the functionality of macOS Finder, allowing users to modify the user interface. Adversaries may abuse this feature by adding a rogue Finder Plugin to repeatedly execute malicious payloads for persistence. The \u003ccode\u003epluginkit\u003c/code\u003e command is used to manage these plugins. This rule identifies suspicious plugin registrations by monitoring the \u003ccode\u003epluginkit\u003c/code\u003e process and filtering out known safe applications, flagging unusual activity to help analysts spot potential threats. Legitimate applications like Google Drive, Boxcryptor, Adobe Creative Cloud, Microsoft OneDrive, Insync, and Box can utilize these plugins, so identifying malicious use is critical.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe user installs a malicious application or unknowingly executes a script that contains instructions to install a malicious Finder Sync plugin.\u003c/li\u003e\n\u003cli\u003eThe malicious application or script executes the \u003ccode\u003epluginkit\u003c/code\u003e command with the \u003ccode\u003e-e\u003c/code\u003e, \u003ccode\u003euse\u003c/code\u003e, and \u003ccode\u003e-i\u003c/code\u003e flags to register a new Finder Sync plugin.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003epluginkit\u003c/code\u003e registers the malicious plugin, adding it to the system\u0026rsquo;s list of available Finder extensions.\u003c/li\u003e\n\u003cli\u003eThe Finder process detects the newly registered plugin and loads it.\u003c/li\u003e\n\u003cli\u003eThe malicious plugin executes its payload, which could involve running arbitrary code or modifying the Finder interface.\u003c/li\u003e\n\u003cli\u003eThe plugin\u0026rsquo;s code is designed to maintain persistence, potentially re-executing after system restarts or user logins.\u003c/li\u003e\n\u003cli\u003eThe malicious plugin establishes a connection to a command-and-control server for further instructions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation leads to persistent execution of malicious code on macOS systems. Attackers can maintain unauthorized access, steal sensitive information, or perform other malicious activities. The rule helps detect and prevent such persistence mechanisms, reducing the risk of long-term compromise. While the number of victims is unknown, targeted sectors could include any environment where macOS is prevalent, such as creative industries or software development.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Elastic Defend and ensure it\u0026rsquo;s configured to monitor process execution events to activate the detections (setup guide in rule description).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to detect suspicious \u003ccode\u003epluginkit\u003c/code\u003e executions and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules, focusing on the parent processes and plugin identifiers involved.\u003c/li\u003e\n\u003cli\u003eBlock known malicious parent processes (python, node, osascript, bash, sh, zsh) when spawning \u003ccode\u003epluginkit\u003c/code\u003e with \u003ccode\u003e-e -i use\u003c/code\u003e arguments based on identified incidents.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-18T12:34:00Z","date_published":"2026-05-18T12:34:00Z","id":"https://feed.craftedsignal.io/briefs/2026-05-finder-sync-plugin-persistence/","summary":"This rule detects suspicious Finder Sync plugin registrations on macOS, where adversaries abuse the pluginkit process to establish persistence by repeatedly executing malicious payloads.","title":"macOS Finder Sync Plugin Persistence via Pluginkit","url":"https://feed.craftedsignal.io/briefs/2026-05-finder-sync-plugin-persistence/"}],"language":"en","title":"CraftedSignal Threat Feed — Adobe Creative Cloud","version":"https://jsonfeed.org/version/1.1"}