Adversaries may modify plist files to automatically run an application when a user logs in. Starting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user logs into their machine after reboot. While this is usually done via a Graphical User Interface (GUI) on an app-by-app basis, there are property list files (plist) that contain this information as well located at <code>~/Library/Preferences/com.apple.loginwindow.plist</code> and <code>~/Library/Preferences/ByHost/com.apple.loginwindow.* .plist</code>.
An adversary can modify one of these files directly to include a link to their malicious executable to provide a persistence mechanism each time the user reboots their machine (Citation: Methods of Mac Malware Persistence).
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| AC-16 | Security and Privacy Attributes | Protects | T1547.007 | Re-opened Applications |
| AC-3 | Access Enforcement | Protects | T1547.007 | Re-opened Applications |
| CM-2 | Baseline Configuration | Protects | T1547.007 | Re-opened Applications |
| CM-3 | Configuration Change Control | Protects | T1547.007 | Re-opened Applications |
| CM-5 | Access Restrictions for Change | Protects | T1547.007 | Re-opened Applications |
| CM-6 | Configuration Settings | Protects | T1547.007 | Re-opened Applications |
| CM-7 | Least Functionality | Protects | T1547.007 | Re-opened Applications |
| CM-8 | System Component Inventory | Protects | T1547.007 | Re-opened Applications |
| RA-5 | Vulnerability Monitoring and Scanning | Protects | T1547.007 | Re-opened Applications |
| SI-3 | Malicious Code Protection | Protects | T1547.007 | Re-opened Applications |
| SI-4 | System Monitoring | Protects | T1547.007 | Re-opened Applications |