Protect Audio Plugin Directories

macOS is the platform of choice for audio professionals, which means it has well-known directories where audio software looks for plugins. Attackers have noticed.

Audio plugins execute code when loaded by audio applications — or even by system services like coreaudiod. Drop a malicious .component or .driver bundle in the right place, and your code runs whenever the user opens GarageBand, or whenever the audio daemon restarts. In the case of /Library/Audio/Plug-Ins/HAL, any plugins in that directory are loaded as root!

Lock those directories down with a file access rule. If you have audio producers in your organization, you can use Workshop's tags to only apply these rules to the non-audio-professionals on your team.

This rule blocks writes to common audio plugin directories, preventing attackers from installing malicious plugins that execute code when loaded.

The HAL (Hardware Abstraction Layer) plugin directory is particularly dangerous as plugins there are loaded by coreaudiod as root.

If you have audio producers or DJs on your team who legitimately install audio plugins, use Workshop's tags feature to exempt them from this rule.

Legitimate audio software installation will trigger this rule:

• Audio production software (Logic Pro, Ableton, Pro Tools)
• Audio plugin packages (VST, AU, AAX plugins)
• Audio interface drivers

Use Workshop tags to identify audio professionals and exempt them, or create an approval workflow for audio plugin installation.