--- title: "Protect Audio Plugin Directories | Security Cookbook" description: "Block writes to audio plugin directories, stopping malicious .component bundles that run as root via coreaudiod for persistence." doc_version: "1" last_updated: "2026-05-22" canonical: "https://northpole.security/cookbook/protect-audio-plugins" --- [Back](https://northpole.security/cookbook) ### Idea macOS is the platform of choice for audio professionals, which means it has well-known directories where audio software looks for plugins. Attackers have noticed. Audio plugins execute code when loaded by audio applications — or even by system services like coreaudiod. Drop a malicious `.component` or `.driver` bundle in the right place, and your code runs whenever the user opens GarageBand, or whenever the audio daemon restarts. In the case of `/Library/Audio/Plug-Ins/HAL`, any plugins in that directory are loaded as root! Lock those directories down with a file access rule. If you have audio producers in your organization, you can use Workshop's tags to only apply these rules to the non-audio-professionals on your team. ### Solutions File AccessProtect Audio Plugin Directories Prevent unauthorized writes to audio plugin directories Path Prefixes - • /Library/Audio/Plug-Ins - • /Library/Audio/MIDI Drivers - • /Users/\*/Library/Audio/Plug-Ins - • /Users/\*/Library/Audio/MIDI Drivers Options Allow Read Access:true Audit Only:false Rule Type:PathsWithAllowedProcesses Custom Message Audio plugin installation is not allowed ### Mitre Attack Tactics [Persistence](https://attack.mitre.org/tactics/TA0003/)[Privilege Escalation](https://attack.mitre.org/tactics/TA0004/)[Stealth](https://attack.mitre.org/tactics/TA0005/)[Execution](https://attack.mitre.org/tactics/TA0002/) Techniques [T1546: Event Triggered Execution](https://attack.mitre.org/techniques/T1546/)[T1574.006: Dynamic Linker Hijacking](https://attack.mitre.org/techniques/T1574/006/) ### Tags audio-pluginspersistenceprivilege-escalation ### Deployment Notes This rule blocks writes to common audio plugin directories, preventing attackers from installing malicious plugins that execute code when loaded. The HAL (Hardware Abstraction Layer) plugin directory is particularly dangerous as plugins there are loaded by coreaudiod as root. If you have audio producers or DJs on your team who legitimately install audio plugins, use Workshop's tags feature to exempt them from this rule. ### False Positive Guidance Legitimate audio software installation will trigger this rule: - Audio production software (Logic Pro, Ableton, Pro Tools) - Audio plugin packages (VST, AU, AAX plugins) - Audio interface drivers Use Workshop tags to identify audio professionals and exempt them, or create an approval workflow for audio plugin installation. ### Resources [MITRE ATT&CK - Dynamic Linker HijackingTake a look](https://attack.mitre.org/techniques/T1574/006/) ## Sitemap - [Home](https://northpole.security/index.md) - [Workshop](https://northpole.security/workshop.md) - [Santa](https://northpole.security/santa.md) - [Features](https://northpole.security/features.md) - [Cookbook](https://northpole.security/cookbook.md) - [Docs](https://northpole.security/docs.md) - [Blog](https://northpole.security/blog.md) - [Glossary](https://northpole.security/glossary.md) - [About](https://northpole.security/about.md) - [Contact](https://northpole.security/contact.md)