This artifact examines the contents of the user’s dock. The property list entry for each application represented within the dock can be modified to point to a malcious application.
By comparing the application name, CFURLString, and book, we can gather greater context to assist in determining if an adversary may have tampered with an entry, or if an entry has been added to emulate a legitimate application.
name: MacOS.System.Dock
description: |
This artifact examines the contents of the user's dock. The
property list entry for each application represented within the dock
can be modified to point to a malcious application.
By comparing the application name, CFURLString, and book, we can
gather greater context to assist in determining if an adversary may
have tampered with an entry, or if an entry has been added to
emulate a legitimate application.
reference:
- https://specterops.io/so-con2020/event-758922
- https://attack.mitre.org/techniques/T1547/009/
- https://attack.mitre.org/techniques/T1647/
author: Wes Lambert - @therealwlambert
type: CLIENT
parameters:
- name: DockGlob
default: /Users/*/Library/Preferences/com.apple.dock.plist
sources:
- query: |
SELECT * FROM foreach(row={
SELECT OSPath from glob(globs=DockGlob)
}, query={
SELECT OSPath, GUID,
get(member="tile-data.file-label") AS FileLabel,
get(member="tile-data.file-data._CFURLString") AS AppLocation,
timestamp(mactime=get(member="tile-data.file-mod-date")) AS FileModDate,
timestamp(mactime=get(member="tile-data.parent-mod-date")) AS ParentModDate,
get(member="tile-data.bundle-identifier") AS BundleIdentifier,
get(member="tile-data.dock-extra") AS DockExtra,
base64encode(string=get(member="tile-data.book")) AS Book
FROM foreach(row=plist(file=OSPath).`persistent-apps`)
})
column_types:
- name: Book
type: base64hex