Home
ATT&CK Techniques
T1547.007 Re-opened Applications

T1547.007 Re-opened Applications Mappings

Adversaries may modify plist files to automatically run an application when a user logs in. Starting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user logs into their machine after reboot. While this is usually done via a Graphical User Interface (GUI) on an app-by-app basis, there are property list files (plist) that contain this information as well located at <code>~/Library/Preferences/com.apple.loginwindow.plist</code> and <code>~/Library/Preferences/ByHost/com.apple.loginwindow.* .plist</code>.

An adversary can modify one of these files directly to include a link to their malicious executable to provide a persistence mechanism each time the user reboots their machine (Citation: Methods of Mac Malware Persistence).

View in MITRE ATT&CK®

Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name
AC-16	Security and Privacy Attributes	Protects	T1547.007	Re-opened Applications
AC-3	Access Enforcement	Protects	T1547.007	Re-opened Applications
CM-2	Baseline Configuration	Protects	T1547.007	Re-opened Applications
CM-3	Configuration Change Control	Protects	T1547.007	Re-opened Applications
CM-5	Access Restrictions for Change	Protects	T1547.007	Re-opened Applications
CM-6	Configuration Settings	Protects	T1547.007	Re-opened Applications
CM-7	Least Functionality	Protects	T1547.007	Re-opened Applications
CM-8	System Component Inventory	Protects	T1547.007	Re-opened Applications
RA-5	Vulnerability Monitoring and Scanning	Protects	T1547.007	Re-opened Applications
SI-3	Malicious Code Protection	Protects	T1547.007	Re-opened Applications
SI-4	System Monitoring	Protects	T1547.007	Re-opened Applications
attribute.integrity.variety.Modify configuration	Modified configuration or services	related-to	T1547.007	Boot or Logon Autostart Execution: Re-opened Applications