Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or restarts via the macOS Graphical User Interface (GUI), a prompt
is provided to the user with a checkbox to "Reopen windows when logging back in".[1]
When selected, all applications currently open are added to a property list file named com.apple.loginwindow.[UUID].plist
within the
~/Library/Preferences/ByHost
directory.[2][3]
Applications listed in this file are automatically reopened upon the user’s next logon.
Adversaries can establish Persistence by adding a malicious application path to the
com.apple.loginwindow.[UUID].plist
file to execute payloads when a user logs in.
ID | Mitigation | Description |
---|---|---|
M1042 | Disable or Remove Feature or Program |
This feature can be disabled entirely with the following terminal command: |
M1017 | User Training |
Holding the Shift key while logging in prevents apps from opening automatically.[1] |
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0017 | Command | Command Execution |
Monitor executed commands and arguments that may modify plist files to automatically run an application when a user logs in. |
DS0022 | File | File Modification |
Monitoring the specific plist files associated with reopening applications can indicate when an application has registered itself to be reopened. |