T1547.007 Re-opened Applications
Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or restarts via the macOS Graphical User Interface (GUI), a prompt is provided to the user with a checkbox to “Reopen windows when logging back in”.1 When selected, all applications currently open are added to a property list file named com.apple.loginwindow.[UUID].plist within the ~/Library/Preferences/ByHost directory.23 Applications listed in this file are automatically reopened upon the user’s next logon.
Adversaries can establish Persistence by adding a malicious application path to the com.apple.loginwindow.[UUID].plist file to execute payloads when a user logs in.
| Item | Value |
|---|---|
| ID | T1547.007 |
| Sub-techniques | T1547.001, T1547.002, T1547.003, T1547.004, T1547.005, T1547.006, T1547.007, T1547.008, T1547.009, T1547.010, T1547.012, T1547.013, T1547.014, T1547.015 |
| Tactics | TA0003, TA0004 |
| Platforms | macOS |
| Permissions required | User |
| Version | 1.1 |
| Created | 24 January 2020 |
| Last Modified | 19 April 2022 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1042 | Disable or Remove Feature or Program | This feature can be disabled entirely with the following terminal command: defaults write -g ApplePersistence -bool no. |
| M1017 | User Training | Holding the Shift key while logging in prevents apps from opening automatically.1 |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0017 | Command | Command Execution |
| DS0022 | File | File Modification |
References
-
Apple. (2016, December 6). Automatically re-open windows, apps, and documents on your Mac. Retrieved July 11, 2017. ↩↩
-
Patrick Wardle. (2014, September). Methods of Malware Persistence on Mac OS X. Retrieved July 5, 2017. ↩
-
Patrick Wardle. (n.d.). Chapter 0x2: Persistence. Retrieved April 13, 2022. ↩