Description
Adversaries may modify property list files (plist files) to enable other malicious activity, while also potentially evading and bypassing system defenses. macOS applications use plist files, such as the info.plist file, to store properties and configuration settings that inform the operating system how to handle the application at runtime. Plist files are structured metadata in key-value pairs formatted in XML based on Apple's Core Foundation DTD. Plist files can be saved in text or binary format.(Citation: fileinfo plist file description)
Adversaries can modify key-value pairs in plist files to influence system behaviors, such as hiding the execution of an application (i.e. Hidden Window) or running additional commands for persistence (ex: Launch Agent/Launch Daemon or Re-opened Applications).
For example, adversaries can add a malicious application path to the ~/Library/Preferences/com.apple.dock.plist file, which controls apps that appear in the Dock. Adversaries can also modify the LSUIElement key in an application’s info.plist file to run the app in the background. Adversaries can also insert key-value pairs to insert environment variables, such as LSEnvironment, to enable persistence via Dynamic Linker Hijacking.(Citation: wardle chp2 persistence)(Citation: eset_osx_flashback)
Platforms
Mitigations (1)
Application Developer GuidanceM1013
Ensure applications are using Apple's developer guidance which enables hardened runtime.(Citation: Apple Developer Doco Hardened Runtime)
Associated Software (2)
| ID | Name | Type | Context |
|---|---|---|---|
| S1153 | Cuckoo Stealer | Malware | [Cuckoo Stealer](https://attack.mitre.org/software/S1153) can create and populate property list (plist) files to enable execution.(Citation: Kandji C... |
| S0658 | XCSSET | Malware | In older versions, [XCSSET](https://attack.mitre.org/software/S0658) uses the <code>plutil</code> command to modify the <code>LSUIElement</code>, <cod... |
References
- ESET. (2012, January 1). OSX/Flashback. Retrieved April 19, 2022.
- FileInfo.com team. (2019, November 26). .PLIST File Extension. Retrieved October 12, 2021.
- Patrick Wardle. (2022, January 1). The Art of Mac Malware Volume 0x1:Analysis. Retrieved April 19, 2022.
Frequently Asked Questions
What is T1647 (Plist File Modification)?
T1647 is a MITRE ATT&CK technique named 'Plist File Modification'. It belongs to the Defense Impairment tactic(s). Adversaries may modify property list files (plist files) to enable other malicious activity, while also potentially evading and bypassing system defenses. macOS applications use plist files, such as t...
How can T1647 be detected?
Detection of T1647 (Plist File Modification) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1647?
There are 1 documented mitigations for T1647. Key mitigations include: Application Developer Guidance.
Which threat groups use T1647?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.