Boot or Logon Autostart Execution: Re-opened Applications (T1547.007)
Tactics: Persistence, Privilege Escalation · Platforms: macOS
The interactive view maps 1 detection strategy, 2 mitigations to this technique, alongside D3FEND countermeasures and data-component coverage.
Sub-technique of Boot or Logon Autostart Execution (T1547).
Overview
Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or restarts via the macOS Graphical User Interface (GUI), a prompt is provided to the user with a checkbox to "Reopen windows when logging back in". When selected, all applications currently open are added to a property list file named com.apple.loginwindow.[UUID].plist within the ~/Library/Preferences/ByHost directory. Applications listed in this file are automatically reopened upon the user’s next logon.
Adversaries can establish Persistence by adding a malicious application path to the com.apple.loginwindow.[UUID].plist file to execute payloads when a user logs in.