T1547.007: Re-opened Applications

Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or restarts via the macOS Graphical User Interface (GUI), a prompt is provided to the user with a checkbox to "Reopen windows when logging back in". When selected, all applications currently open are added to a property list file named com.apple.loginwindow.[UUID].plist within the ~/Library/Preferences/ByHost directory. Applications listed in this file are automatically reopened upon the user’s next logon.

Adversaries can establish Persistence by adding a malicious application path to the com.apple.loginwindow.[UUID].plist file to execute payloads when a user logs in.

Detection

IDDS0017Data source and componentCommand: Command ExecutionDescription

Monitor executed commands and arguments that may modify plist files to automatically run an application when a user logs in.

IDDS0022Data source and componentFile: File ModificationDescription

Monitoring the specific plist files associated with reopening applications can indicate when an application has registered itself to be reopened.

Mitigation

IDM1042NameDisable or Remove Feature or ProgramDescription

This feature can be disabled entirely with the following terminal command: defaults write -g ApplePersistence -bool no.

IDM1017NameUser TrainingDescription

Holding the Shift key while logging in prevents apps from opening automatically.