T1547.011 Plist Modification Mappings

Adversaries may modify plist files to run a program during system boot or user login. Property list (plist) files contain all of the information that macOS and OS X uses to configure applications and services. These files are UTF-8 encoded and formatted like XML documents via a series of keys surrounded by < >. They detail when programs should execute, file paths to the executables, program arguments, required OS permissions, and many others. plists are located in certain locations depending on their purpose such as <code>/Library/Preferences</code> (which execute with elevated privileges) and <code>~/Library/Preferences</code> (which execute with a user's privileges).

Adversaries can modify plist files to execute their code as part of establishing persistence. plists may also be used to elevate privileges since they may execute in the context of another user.(Citation: Sofacy Komplex Trojan)

A specific plist used for execution at login is <code>com.apple.loginitems.plist</code>.(Citation: Methods of Mac Malware Persistence) Applications under this plist run under the logged in user's context, and will be started every time the user logs in. Login items installed using the Service Management Framework are not visible in the System Preferences and can only be removed by the application that created them.(Citation: Adding Login Items) Users have direct control over login items installed using a shared file list which are also visible in System Preferences (Citation: Adding Login Items). Some of these applications can open visible dialogs to the user, but they don’t all have to since there is an option to "hide" the window. If an adversary can register their own login item or modified an existing one, then they can use it to execute their code for a persistence mechanism each time the user logs in (Citation: Malware Persistence on OS X) (Citation: OSX.Dok Malware). The API method <code> SMLoginItemSetEnabled</code> can be used to set Login Items, but scripting languages like AppleScript can do this as well. (Citation: Adding Login Items)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-16 Security and Privacy Attributes Protects T1547.011 Plist Modification
AC-17 Remote Access Protects T1547.011 Plist Modification
AC-3 Access Enforcement Protects T1547.011 Plist Modification
AC-6 Least Privilege Protects T1547.011 Plist Modification
CA-7 Continuous Monitoring Protects T1547.011 Plist Modification
CM-2 Baseline Configuration Protects T1547.011 Plist Modification
CM-3 Configuration Change Control Protects T1547.011 Plist Modification
CM-5 Access Restrictions for Change Protects T1547.011 Plist Modification
CM-6 Configuration Settings Protects T1547.011 Plist Modification
CM-7 Least Functionality Protects T1547.011 Plist Modification
SI-4 System Monitoring Protects T1547.011 Plist Modification
SI-7 Software, Firmware, and Information Integrity Protects T1547.011 Plist Modification
attribute.integrity.variety.Modify configuration Modified configuration or services related-to T1547.011 Boot or Logon Autostart Execution: Plist Modification