T1547.007: Re-opened Applications
Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or restarts via the macOS Graphical User Interface (GUI), a prompt is provided to the user with a checkbox to "Reopen windows when logging back in". When selected, all applications currently open are added to a property list file named com.apple.loginwindow.[UUID].plist within the ~/Library/Preferences/ByHost directory. Applications listed in this file are automatically reopened upon the user’s next logon.
Adversaries can establish Persistence by adding a malicious application path to the com.apple.loginwindow.[UUID].plist file to execute payloads when a user logs in.
Detection
| ID | DS0022 | Data source and component | File: File Modification | Description | Monitoring the specific plist files associated with reopening applications can indicate when an application has registered itself to be reopened. |
|---|
| ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor executed commands and arguments that may modify plist files to automatically run an application when a user logs in. |
|---|
Mitigation
| ID | M1042 | Name | Disable or Remove Feature or Program | Description | This feature can be disabled entirely with the following terminal command: |
|---|
| ID | M1017 | Name | User Training | Description | Holding the Shift key while logging in prevents apps from opening automatically. |
|---|