Description
Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or restarts via the macOS Graphical User Interface (GUI), a prompt is provided to the user with a checkbox to "Reopen windows when logging back in".(Citation: Re-Open windows on Mac) When selected, all applications currently open are added to a property list file named com.apple.loginwindow.[UUID].plist within the ~/Library/Preferences/ByHost directory.(Citation: Methods of Mac Malware Persistence)(Citation: Wardle Persistence Chapter) Applications listed in this file are automatically reopened upon the user’s next logon.
Adversaries can establish Persistence by adding a malicious application path to the com.apple.loginwindow.[UUID].plist file to execute payloads when a user logs in.
Platforms
Mitigations (2)
Disable or Remove Feature or ProgramM1042
This feature can be disabled entirely with the following terminal command: defaults write -g ApplePersistence -bool no.
User TrainingM1017
Holding the Shift key while logging in prevents apps from opening automatically.(Citation: Re-Open windows on Mac)
References
- Apple. (2016, December 6). Automatically re-open windows, apps, and documents on your Mac. Retrieved July 11, 2017.
- Patrick Wardle. (2014, September). Methods of Malware Persistence on Mac OS X. Retrieved July 5, 2017.
- Patrick Wardle. (n.d.). Chapter 0x2: Persistence. Retrieved April 13, 2022.
Frequently Asked Questions
What is T1547.007 (Re-opened Applications)?
T1547.007 is a MITRE ATT&CK technique named 'Re-opened Applications'. It belongs to the Persistence, Privilege Escalation tactic(s). Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or restarts via the macOS Graphical User Interface (GUI), a prompt is provided to the u...
How can T1547.007 be detected?
Detection of T1547.007 (Re-opened Applications) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1547.007?
There are 2 documented mitigations for T1547.007. Key mitigations include: Disable or Remove Feature or Program, User Training.
Which threat groups use T1547.007?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.