Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or restarts via the macOS Graphical User Interface (GUI), a prompt is provided to the user with a checkbox to "Reopen windows when logging back in".(Citation: Re-Open windows on Mac) When selected, all applications currently open are added to a property list file named <code>com.apple.loginwindow.[UUID].plist</code> within the <code>~/Library/Preferences/ByHost</code> directory.(Citation: Methods of Mac Malware Persistence)(Citation: Wardle Persistence Chapter) Applications listed in this file are automatically reopened upon the user’s next logon.
Adversaries can establish Persistence by adding a malicious application path to the <code>com.apple.loginwindow.[UUID].plist</code> file to execute payloads when a user logs in.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| AC-16 | Security and Privacy Attributes | Protects | T1547.007 | Re-opened Applications |
| AC-03 | Access Enforcement | Protects | T1547.007 | Re-opened Applications |
| CM-02 | Baseline Configuration | Protects | T1547.007 | Re-opened Applications |
| CM-03 | Configuration Change Control | Protects | T1547.007 | Re-opened Applications |
| CM-05 | Access Restrictions for Change | Protects | T1547.007 | Re-opened Applications |
| CM-06 | Configuration Settings | Protects | T1547.007 | Re-opened Applications |
| CM-07 | Least Functionality | Protects | T1547.007 | Re-opened Applications |
| CM-08 | System Component Inventory | Protects | T1547.007 | Re-opened Applications |
| RA-05 | Vulnerability Monitoring and Scanning | Protects | T1547.007 | Re-opened Applications |
| SI-03 | Malicious Code Protection | Protects | T1547.007 | Re-opened Applications |
| SI-04 | System Monitoring | Protects | T1547.007 | Re-opened Applications |