Skip to content

T1547.007 Re-opened Applications

Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or restarts via the macOS Graphical User Interface (GUI), a prompt is provided to the user with a checkbox to “Reopen windows when logging back in”.1 When selected, all applications currently open are added to a property list file named[UUID].plist within the ~/Library/Preferences/ByHost directory.23 Applications listed in this file are automatically reopened upon the user’s next logon.

Adversaries can establish Persistence by adding a malicious application path to the[UUID].plist file to execute payloads when a user logs in.

Item Value
ID T1547.007
Sub-techniques T1547.001, T1547.002, T1547.003, T1547.004, T1547.005, T1547.006, T1547.007, T1547.008, T1547.009, T1547.010, T1547.012, T1547.013, T1547.014, T1547.015
Tactics TA0003, TA0004
Platforms macOS
Permissions required User
Version 1.1
Created 24 January 2020
Last Modified 19 April 2022


ID Mitigation Description
M1042 Disable or Remove Feature or Program This feature can be disabled entirely with the following terminal command: defaults write -g ApplePersistence -bool no.
M1017 User Training Holding the Shift key while logging in prevents apps from opening automatically.1


ID Data Source Data Component
DS0017 Command Command Execution
DS0022 File File Modification