T1647: Plist File Modification
Adversaries may modify property list files (plist files) to enable other malicious activity, while also potentially evading and bypassing system defenses. macOS applications use plist files, such as the info.plist
file, to store properties and configuration settings that inform the operating system how to handle the application at runtime. Plist files are structured metadata in key-value pairs formatted in XML based on Apple's Core Foundation DTD. Plist files can be saved in text or binary format.
Adversaries can modify key-value pairs in plist files to influence system behaviors, such as hiding the execution of an application (i.e. Hidden Window) or running additional commands for persistence (ex: Launch Agent/Launch Daemon or Re-opened Applications).
For example, adversaries can add a malicious application path to the \~/Library/Preferences/com.apple.dock.plist
file, which controls apps that appear in the Dock. Adversaries can also modify the LSUIElement
key in an application’s info.plist
file to run the app in the background. Adversaries can also insert key-value pairs to insert environment variables, such as LSEnvironment
, to enable persistence via Dynamic Linker Hijacking.
Positive Technologies products that cover the technique
Description of detection methods is not available yet
Detection
ID | DS0009 | Data source and component | Process: Process Creation | Description | Monitor for newly executed processes with arguments that can modify property list (plist) files. |
---|
ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor for commands with arguments (such as opening common command-line editors) used to modify plist files, especially commonly abused files such as those in |
---|
ID | DS0022 | Data source and component | File: File Modification | Description | Monitor for plist file modification, especially if immediately followed by other suspicious events such as code execution from |
---|
Mitigation
ID | M1013 | Name | Application Developer Guidance | Description | Ensure applications are using Apple's developer guidance which enables hardened runtime. |
---|