T1547.007SubTechniquepersistenceprivilege-escalationagent-callable

T1547.007Re-opened Applications

Sub-technique of T1547

Platforms: macOS

ATT&CK version: 14.1

What it is

Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or restarts via the macOS Graphical User Interface (GUI), a prompt is provided to the user with a checkbox to "Reopen windows when logging back in".(Citation: Re-Open windows on Mac) When selected, all applications currently open are added to a property list file named <code>com.apple.loginwindow.[UUID].plist</code> within the <code>~/Library/Preferences/ByHost</code> directory.(Citation: Methods of Mac Malware Persistence)(Citation: Wardle Persistence Chapter) Applications listed in this file are automatically reopened upon the user’s next logon. Adversaries can establish [Persistence](https://attack.mitre.org/tactics/TA0003) by adding a malicious application path to the <code>com.apple.loginwindow.[UUID].plist</code> file to execute payloads when a user logs in.

ATT&CK tactics· 2

PersistencePrivilege Escalation

References

  1. https://attack.mitre.org/techniques/T1547/007
  2. https://support.apple.com/en-us/HT204005
  3. https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
  4. https://taomm.org/PDFs/vol1/CH%200x02%20Persistence.pdf
Sourced from MITRE ATT&CK Enterprise v14.1. Curated and contextualized for EU compliance use cases by Adam Lundqvist, Founder at SQUR.
T1547.007: Re-opened Applications | SQUR Knowledge Base