Home
ATT&CK Techniques
T1647 Plist File Modification

T1647 Plist File Modification

Adversaries may modify property list files (plist files) to enable other malicious activity, while also potentially evading and bypassing system defenses. macOS applications use plist files, such as the <code>info.plist</code> file, to store properties and configuration settings that inform the operating system how to handle the application at runtime. Plist files are structured metadata in key-value pairs formatted in XML based on Apple's Core Foundation DTD. Plist files can be saved in text or binary format.(Citation: fileinfo plist file description)

Adversaries can modify key-value pairs in plist files to influence system behaviors, such as hiding the execution of an application (i.e. Hidden Window) or running additional commands for persistence (ex: Launch Agent/Launch Daemon or Re-opened Applications).

For example, adversaries can add a malicious application path to the ~/Library/Preferences/com.apple.dock.plist file, which controls apps that appear in the Dock. Adversaries can also modify the <code>LSUIElement</code> key in an application’s <code>info.plist</code> file to run the app in the background. Adversaries can also insert key-value pairs to insert environment variables, such as <code>LSEnvironment</code>, to enable persistence via Dynamic Linker Hijacking.(Citation: wardle chp2 persistence)(Citation: eset_osx_flashback)

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
PR.PS-06.01	Secure SDLC process	Mitigates	T1647	Plist File Modification	Comments This diagnostic statement helps protect the modification of property list files (plist files) through secure development practices, such as enabling hardened runtime. References
PR.PS-06.07	Development and operational process alignment	Mitigates	T1647	Plist File Modification	Comments This diagnostic statement protects against Plist File Modification through the use of DevSecOps, secure development lifecycle, and application developer guidance. Exploitable weaknesses can be mitigated through secure code, reduced vulnerabilities, and secure design principles. References

NIST 800-53 Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name
CA-07	Continuous Monitoring	mitigates	T1647	Plist File Modification
CM-06	Configuration Settings	mitigates	T1647	Plist File Modification
CM-05	Access Restrictions for Change	mitigates	T1647	Plist File Modification
AC-17	Remote Access	mitigates	T1647	Plist File Modification
SA-10	Developer Configuration Management	mitigates	T1647	Plist File Modification
SI-07	Software, Firmware, and Information Integrity	mitigates	T1647	Plist File Modification
AC-16	Security and Privacy Attributes	mitigates	T1647	Plist File Modification
CM-02	Baseline Configuration	mitigates	T1647	Plist File Modification
SA-11	Developer Testing and Evaluation	mitigates	T1647	Plist File Modification
SA-08	Security and Privacy Engineering Principles	mitigates	T1647	Plist File Modification
CM-07	Least Functionality	mitigates	T1647	Plist File Modification
SI-04	System Monitoring	mitigates	T1647	Plist File Modification
AC-03	Access Enforcement	mitigates	T1647	Plist File Modification
AC-06	Least Privilege	mitigates	T1647	Plist File Modification
CM-03	Configuration Change Control	mitigates	T1647	Plist File Modification

GCP Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
google_secops	Google Security Operations	technique_scores	T1647	Plist File Modification	Comments Google Security Operations is able to trigger alerts based on executed commands that modify files where plists are typically located. References ['https://cloud.google.com/security/products/security-operations' 'https://cloud.google.com/chronicle/docs/secops/secops-overview' 'https://github.com/chronicle/detection-rules']