Suspicious Apple Mail Rule Plist Modification
Detects suspicious creation or modification of the Apple Mail SyncedRules plist file by a non-Mail application. An adversary could establish persistence by creating or modifying an Apple Mail rule to point to a script file on disk, which will execute when an email matching the trigger is received.
Rule type: eql
Rule indices:
- logs-endpoint.events.file-*
Rule Severity: medium
Risk Score: 47
Runs every:
Searches indices from: now-9m
Maximum alerts per execution: ?
References:
Tags:
- Domain: Endpoint
- OS: macOS
- Use Case: Threat Detection
- Tactic: Persistence
- Data Source: Elastic Defend
Version: ?
Rule authors:
- Elastic
Rule license: Elastic License v2
file where host.os.type == "macos" and event.type != "deletion" and
file.name == "SyncedRules.plist" and
file.path like ("/Users/*/Library/Mail/*/MailData/SyncedRules.plist",
"/Users/*/Library/Mobile Documents/com.apple.mail/Data/*/MailData/SyncedRules.plist") and
not process.executable like ("/System/Applications/Mail.app/Contents/MacOS/Mail",
"/Applications/Mail.app/Contents/MacOS/Mail",
"/System/Library/CoreServices/backupd.bundle/Contents/Resources/backupd",
"/usr/libexec/xpcproxy",
"/System/Library/Frameworks/FileProvider.framework/Support/fileproviderd",
"/System/Library/PrivateFrameworks/CloudDocsDaemon.framework/Versions/A/Support/bird",
"/sbin/launchd",
"/System/Library/CoreServices/Finder.app/Contents/MacOS/Finder")
Framework: MITRE ATT&CK
Tactic:
- Name: Persistence
- Id: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
Technique:
- Name: Event Triggered Execution
- Id: T1546
- Reference URL: https://attack.mitre.org/techniques/T1546/
Framework: MITRE ATT&CK
Tactic:
- Name: Execution
- Id: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
Technique:
- Name: User Execution
- Id: T1204
- Reference URL: https://attack.mitre.org/techniques/T1204/