Register to stream ATT&CKcon 2.0 October 29-30

Hidden Window

The configurations for how applications run on macOS and OS X are listed in property list (plist) files. One of the tags in these files can be apple.awt.UIElement, which allows for Java applications to prevent the application's icon from appearing in the Dock. A common use for this is when applications run in the system tray, but don't also want to show up in the Dock. However, adversaries can abuse this feature and hide their running window [1].

ID: T1143
Tactic: Defense Evasion
Platform: macOS
Permissions Required: User
Data Sources: File monitoring
Version: 1.0

Mitigations

Mitigation Description
Execution Prevention Whitelist programs that are allowed to have this plist tag. All other programs should be considered suspicious.

Detection

Plist files are ASCII text files with a specific format, so they're relatively easy to parse. File monitoring can check for the apple.awt.UIElement or any other suspicious plist tag in plist files and flag them.

References