DET0125 Detect persistence via reopened application plist modification (macOS)

Item	Value
ID	DET0125
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1547.007 (Re-opened Applications)

Analytics

macOS

AN0349

Unusual modification or creation of loginwindow-related plist files in ‘~/Library/Preferences/ByHost’ correlated with unauthorized application paths and execution upon login.

Log Sources

Data Component	Name	Channel
Process Creation (DC0032)	macos:unifiedlog	Execution of process launched via loginwindow session restore
File Modification (DC0061)	fs:filesystem	Modification or creation of files matching ‘com.apple.loginwindow.*.plist’ in ~/Library/Preferences/ByHost
Logon Session Metadata (DC0088)	macos:unifiedlog	LoginWindow context with associated PID linked to reopened plist paths
File Metadata (DC0059)	macos:endpointsecurity	es_event_file_rename_t or es_event_file_write_t

Mutable Elements

Field	Description
UserContext	Restrict to targeted users or unexpected users writing to plist
FilePathPattern	Allow tuning for alternative persistence paths or directory redirection
TimeWindow	Correlate plist write and process execution within logon window
BinaryAnomalyScore	Optional scoring of launched binary based on code signing, entropy, and known safe apps