Skip to content

T1647 Plist File Modification

Adversaries may modify property list files (plist files) to enable other malicious activity, while also potentially evading and bypassing system defenses. macOS applications use plist files, such as the info.plist file, to store properties and configuration settings that inform the operating system how to handle the application at runtime. Plist files are structured metadata in key-value pairs formatted in XML based on Apple’s Core Foundation DTD. Plist files can be saved in text or binary format.2

Adversaries can modify key-value pairs in plist files to influence system behaviors, such as hiding the execution of an application (i.e. Hidden Window) or running additional commands for persistence (ex: Launch Agent/Launch Daemon or Re-opened Applications).

For example, adversaries can add a malicious application path to the ~/Library/Preferences/ file, which controls apps that appear in the Dock. Adversaries can also modify the LSUIElement key in an application’s info.plist file to run the app in the background. Adversaries can also insert key-value pairs to insert environment variables, such as LSEnvironment, to enable persistence via Dynamic Linker Hijacking.31

Item Value
ID T1647
Tactics TA0005
Platforms macOS
Version 1.0
Created 09 April 2022
Last Modified 20 April 2022

Procedure Examples

ID Name Description
S0658 XCSSET XCSSET uses the plutil command to modify the LSUIElement, DFBundleDisplayName, and CFBundleIdentifier keys in the /Contents/Info.plist file to change how XCSSET is visible on the system.5


ID Mitigation Description
M1013 Application Developer Guidance Ensure applications are using Apple’s developer guidance which enables hardened runtime.4


ID Data Source Data Component
DS0017 Command Command Execution
DS0022 File File Modification
DS0009 Process Process Creation