T1547.007 Re-opened Applications Mappings

Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or restarts via the macOS Graphical User Interface (GUI), a prompt is provided to the user with a checkbox to "Reopen windows when logging back in".(Citation: Re-Open windows on Mac) When selected, all applications currently open are added to a property list file named <code>com.apple.loginwindow.[UUID].plist</code> within the <code>~/Library/Preferences/ByHost</code> directory.(Citation: Methods of Mac Malware Persistence)(Citation: Wardle Persistence Chapter) Applications listed in this file are automatically reopened upon the user’s next logon.

Adversaries can establish Persistence by adding a malicious application path to the <code>com.apple.loginwindow.[UUID].plist</code> file to execute payloads when a user logs in.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-16 Security and Privacy Attributes Protects T1547.007 Re-opened Applications
AC-03 Access Enforcement Protects T1547.007 Re-opened Applications
CM-02 Baseline Configuration Protects T1547.007 Re-opened Applications
CM-03 Configuration Change Control Protects T1547.007 Re-opened Applications
CM-05 Access Restrictions for Change Protects T1547.007 Re-opened Applications
CM-06 Configuration Settings Protects T1547.007 Re-opened Applications
CM-07 Least Functionality Protects T1547.007 Re-opened Applications
CM-08 System Component Inventory Protects T1547.007 Re-opened Applications
RA-05 Vulnerability Monitoring and Scanning Protects T1547.007 Re-opened Applications
SI-03 Malicious Code Protection Protects T1547.007 Re-opened Applications
SI-04 System Monitoring Protects T1547.007 Re-opened Applications